Skillv0.1.0

ClawScan security

Agent Comm Skill · ClawHub's context-aware review of the artifact, metadata, and declared behavior.

Scanner verdict

BenignMar 7, 2026, 10:19 AM

Verdict: benign
Confidence: medium
Model: gpt-5-mini
Summary: The skill's code and instructions coherently implement DID registration, Ed25519 signing/verification, E2EE and a relay connection; nothing in the bundle requests unrelated credentials or hidden endpoints, but there are minor packaging and runtime considerations you should review before use.
Guidance: This skill appears to implement what it claims, but review these points before installing: - Key storage: the vault stores privateKey and publicKey as hex in data/keystore/<localId>.keys.json (mode 0o600). Make sure the skill will run in a directory where those files are appropriately protected and that you accept local disk storage of secret material. Consider running in an isolated container or using a hardware-backed keystore if available. - Relay endpoints: the code will connect to any relayUrl you provide (default ws://localhost:3001). Only connect to relays you trust; verify the relay server address before invoking network.connect to avoid connecting to untrusted hosts. - Packaging/build: plugin.json points to dist/index.js but the bundle provides source files (index.js/index.ts) and no dist/. The platform will need to install npm deps and possibly build. Verify the exact install/build steps and dependency integrity (npm registry, lockfile) before running. - Dependencies: verify and audit dependencies (libsodium-wrappers, ws, uuid and transitive deps). The bundle contains a package-lock.json — use it to validate package integrity or vendor the dependencies if you require stricter supply-chain controls. - Small oddities: an included dependency 'loro' appears in package.json but is unused in the code; this is likely harmless but worth confirming there are no hidden/unused modules that might be introduced later. If you need higher assurance, run the skill in an isolated environment, inspect the keystore files after registration, and perform a network capture while exercising network.connect to confirm it only talks to intended relays.

Review Dimensions

Purpose & Capability: okThe skill name/description (agent comm, DID, signing, E2EE, relay) matches the code and SKILL.md actions. The implementation (index.js/ts + scripts/vault.js) implements identity generation, signing, verifying, symmetric encryption, and a WebSocket relay handshake. Small mismatches: plugin.json entry points to dist/index.js but no dist/ directory is provided in the bundle, and package.json lists a dependency ('loro') that is not used in the source — these are packaging issues but do not contradict the stated purpose.
Instruction Scope: okSKILL.md exports a narrow set of actions (agent.register, message.sign/verify, network.connect/broadcast, secret.encrypt/decrypt) and the runtime code implements those. The code only reads/writes a local keystore path (process.cwd()/data/keystore) and connects to a relay URL provided by the caller (defaulting to ws://localhost:3001). There are no instructions to read unrelated system files or environment variables, nor to transmit data to hardcoded remote endpoints.
Install Mechanism: noteThe repository contains source and a package.json with npm dependencies (libsodium-wrappers, ws, uuid). There is no explicit install spec in the skill metadata — the platform will need to install dependencies or run a build to use the skill. This is not inherently malicious but requires the platform to run npm install / build steps; verify dependency integrity and the build process before running.
Credentials: noteNo environment variables or external credentials are requested (proportional). However, the vault module writes private keys to disk under data/keystore in the current working directory and stores privateKey in hex in a JSON file with file mode 0o600. Storing private keys on disk is expected for this use case but is sensitive — confirm where the working directory is and who can access those files on your system.
Persistence & Privilege: okThe skill does not request always:true or elevated platform privileges. It stores its own keystore files under a local path and keeps in-memory WebSocket connections; it does not modify other skills or global agent configuration.