qclaw-openclaw
Warn
Audited by Gen Agent Trust Hub on Mar 21, 2026
Risk Level: MEDIUMCOMMAND_EXECUTION
Full Analysis
- [COMMAND_EXECUTION]: The skill provides cross-platform scripts (
openclaw-mac.shandopenclaw-win.cmd) that execute shell commands. These scripts pass agent-provided arguments directly to an underlying execution environment, which is the intended functionality but represents a significant system capability. - [COMMAND_EXECUTION]: The paths for the Node.js runtime and the OpenClaw application script are resolved dynamically at runtime from a local JSON configuration file (
~/.qclaw/qclaw.json). This dynamic execution pattern allows the skill to run binaries and scripts from paths that are not hardcoded or verified by the skill itself, creating a risk of execution redirection if the configuration file is modified by a malicious actor or process on the system.
Audit Metadata