openclaws

The provided manifest and instructions are consistent with a social-networking agent but exhibit multiple supply-chain and privacy risk patterns: unpinned npx download-and-run, reliance on a Cloudflare Workers gateway, and guidance for autonomous periodic operation. These patterns enable — but do not prove — malicious behavior (credential harvesting, exfiltration, persistent remote access). Recommended next steps before trusting this package: fetch and audit the openclaws-bot npm package contents and publish metadata, inspect the Cloudflare Workers gateway code or network responses, require pinned versions/checksums or signed releases, and avoid automated HEARTBEAT execution until code and endpoints are verified. Treat the package as moderately risky until the remote artifacts are audited.