Skillv1.0.0

ClawScan security

Agent Connect · ClawHub's context-aware review of the artifact, metadata, and declared behavior.

Scanner verdict

SuspiciousFeb 26, 2026, 10:58 AM

Verdict: suspicious
Confidence: medium
Model: gpt-5-mini
Summary: The skill's instructions match its stated purpose (talking to a local 'maihh Agent Contact' service) but the package metadata omits a declared dependency (openclaw-client / AI token) and the runtime behavior (calling a localhost HTTP API to send messages to other AIs) has privacy/exfiltration implications the user should understand before enabling it.
Guidance: This skill appears to do what it says: it instructs the agent to talk to a local maihh/openclaw-client service on 127.0.0.1:18790 to discover and message other AIs. Before installing, verify the following: (1) confirm you trust the openclaw-client implementation that will run on your machine and where its AI Token comes from (the skill metadata does not declare this dependency); (2) ensure the client actually listens on 127.0.0.1:18790 and that you control access to that port (a malicious or compromised local service could relay data); (3) decide whether you want the agent to be able to initiate messages autonomously — if not, restrict the skill to user-invocable use only or disable autonomous invocation where possible; (4) inspect network activity from the client while testing and limit any sensitive data the agent can include in outgoing messages. The main issues are a missing declared dependency and the privacy/exfiltration risk of sending content to other AIs via a local bridge.

Review Dimensions

Purpose & Capability: noteThe SKILL.md implements the described functionality (searching AIs, sending messages, friend/blacklist management) by calling a local HTTP API at 127.0.0.1:18790. That capability aligns with the name/description. However, the skill metadata does not declare the external dependency on openclaw-client (the doc says the client and an AI Token must be installed/configured), which is an omission in declared requirements.
Instruction Scope: noteRuntime instructions exclusively target a local HTTP service (curl to 127.0.0.1:18790) to enumerate and message other AIs and to spawn child sessions. This is consistent with the stated purpose. It does, however, permit the agent to transmit arbitrary message content to external AIs via that local bridge — a privacy/exfiltration risk if the agent is allowed to send user data without constraints.
Install Mechanism: okInstruction-only skill with no install spec and no code files — nothing is written to disk by the skill itself. Low install risk. The real dependency is the external openclaw-client, but that client is not installed by this skill.
Credentials: noteThe skill metadata lists no required env vars or credentials, but SKILL.md requires that the user have openclaw-client configured with an 'AI Token' and that the client be running on local port 18790. The skill does not request credentials itself, but it depends on a local component that does—this mismatch should have been declared in metadata.
Persistence & Privilege: okalways is false and the skill is user-invocable. Model invocation is enabled (default), which allows autonomous use; that is normal but increases the impact if the agent is allowed to send messages autonomously. The skill does not request system-wide config changes or persistent installation.