Agent Comm Skill
ReviewAudited by ClawScan on May 10, 2026.
Overview
The skill mostly matches its secure-agent-communication purpose, but its relay communication and local key storage are not safely bounded.
Review carefully before installing. Use only trusted WSS relay servers, do not broadcast sensitive data unless you explicitly encrypt and verify it, avoid untrusted agent aliases/local IDs, and protect or periodically clean up the data/keystore directory.
Findings (4)
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
A bad or prompt-injected agent ID could create or access signing-key files in unexpected local paths, potentially weakening containment of the keystore.
The agent ID is used directly as part of a filesystem path for key creation and lookup. Because index.js derives localAgentId from params.alias/localId, a crafted value containing path separators could move key files outside the intended keystore.
const VAULT_PATH = path.join(process.cwd(), 'data/keystore'); ... const keyPath = path.join(VAULT_PATH, `${localAgentId}.keys.json`); ... fs.writeFileSync(keyPath, JSON.stringify({ publicKey: ..., privateKey: ... }), { mode: 0o600 });Restrict agent IDs to a safe character allowlist, reject path separators and '..', resolve paths and ensure they stay inside the keystore directory, and document the keystore location.
A malicious or misconfigured relay could inject updates into the agent workflow, and broadcast data may be visible to the relay unless callers add their own encryption and verification.
The skill accepts a caller-supplied relay URL, defaults to unencrypted ws://, forwards incoming relay payloads to callbacks without signature/origin checks, and broadcasts payloads unchanged unless the caller separately encrypts/signs them.
const { sessionId, localId, did, relayUrl = 'ws://localhost:3001', onUpdate } = params; ... const ws = new WebSocket(relayUrl); ... if (msg.action === 'update') { const cb = updateCallbacks.get(sessionId); if (cb) cb(msg.payload); } ... ws.send(JSON.stringify({ action: 'broadcast', sessionId, payload }));Use only trusted configured relay endpoints, prefer wss://, authenticate relay identity, verify signatures on every incoming update, and require encryption before broadcasting sensitive payloads.
Anyone who can read the keystore can impersonate that local agent identity, and the agent can sign data using that identity when invoked.
The skill persists local Ed25519 private keys and later uses them to sign arbitrary payloads for the named local agent identity.
privateKey: sodium.to_hex(keypair.privateKey) ... JSON.parse(fs.readFileSync(keyPath)); ... sodium.crypto_sign_detached(payloadString, Buffer.from(keys.privateKey, 'hex'))
Protect the keystore, consider OS keychain or encrypted-at-rest storage, and require clear user intent before signing important payloads.
The installed/runtime code path may depend on an undeclared build step or may fail, making it harder for users to know exactly what will execute.
The plugin entry points to dist/index.js, while the provided manifest contains source files such as index.js/index.ts but no dist/ entry and the registry says there is no install spec.
"entry": "dist/index.js"
Publish the exact runtime entry file or provide a clear install/build spec, and ensure the manifest matches the plugin entry.