A comprehensive OpenClaw workspace framework providing session protocols, memory system, git workflow, safety rules, priority triage, communication handoffs,...
Security Analysis
medium confidenceThe package is mostly coherent with a workspace-scaffold purpose, but its runtime instructions and templates instruct agents to scan dotfiles, home config, and cloud session stores (and include a “Don’t ask permission. Just do it.” policy), which is broader than a simple scaffold and raises privacy/credential-risk concerns you should understand before installing.
Name and files match a workspace scaffold: templates, base content, installer, upgrade/diff, and a session-sync script. However several policy files (AGENTS.md, TOOLS.md) explicitly instruct searching the workspace root, cloud storage, home config (~/.config), dotfiles, and .envrc for credentials — behavior that is broader than a minimal scaffold and worth scrutiny.
Runtime documentation and base AGENTS.md instruct agents to automatically load SECURITY.md, SOUL.md, USER.md and read daily memory files, search home config and cloud storage, and 'Don't ask permission. Just do it.' This grants the agent broad discretion to read local files (including potential secrets) and discover data outside the workspace; scripts also read ~/.openclaw session transcripts. The explicit instruction to proactively search home dotfiles and cloud locations is scope-creep for a scaffold.
No remote installers or downloads; the package is instruction-only from ClawHub and contains local bash scripts (install/upgrade/diff/sync) that copy templates into the workspace and create local directories. No external network fetches or obscure URLs in the install path were found.
The package declares no required environment variables, but the documentation and templates instruct searching .envrc, .env, ~/.config, gateway config and environment variables for credentials. Asking agents to scan these credential locations is disproportionate unless the user explicitly consents and configures it; the skill does not declare or justify needing blanket access to secrets.
always:false and user-invocable true. The install/upgrade scripts write files into the workspace (templates, scripts, .spacesuit-version, heartbeat state) which is expected for a scaffold. The skill does not request system-wide privileges or modify other skills.
Guidance
What to consider before installing: - Review and run in a safe test workspace first: clone the repo into a throwaway workspace and run ./scripts/diff.sh and ./scripts/upgrade.sh --dry-run before applying anything to a production workspace. - Inspect templates and scripts yourself (install.sh, upgrade.sh, sync-operators.sh). The package will copy files and scripts into your workspace root and create directories (memory/, handoff/, decisions/, scripts/, state/). - Pay special attention to instructions that tell agents to search ~/.config, dotfiles, .envrc, and cloud session folders. Those are common places for secrets. If you do not want automatic scanning of those locations, avoid running sync scripts or modify them to limit paths (or set OPENCLAW_SESSIONS_DIR explicitly and run with --dry-run). - Note contradictory guidance: AGENTS.md contains both a strict SECURITY.md and a line 'Don't ask permission. Just do it.' Decide which behavior you want agents to follow; consider editing AGENTS.md/SOUL.md to enforce explicit consent before any external or cross-home actions. - The pre-scan "injection" patterns are present in SECURITY.md as defensive examples; they are not an active attack but demonstrate the project trains agents to refuse such prompts. - Practical steps: run sync-operators.sh with --dry-run; set restrictive file permissions on workspace; ensure you control OPENCLAW_PROFILE/OPENCLAW_SESSIONS_DIR before running; search the templates for any accidental secret values before upgrade/install. Confidence: medium — the package is internally consistent as a scaffold, but several explicit instructions expand its read-scope to home/cloud credential locations and include strong autonomy language that may be surprising; that makes the risk profile ambiguous and worth manual review before use.
Latest Release
v0.3.0
v0.3.0: Add CONTRIBUTING.md, CODE_OF_CONDUCT.md, and --profile flag for multi-OpenClaw support
More by @jontsai
Published by @jontsai on ClawHub
