Agent Relay

ReviewAudited by ClawScan on May 10, 2026.

Overview

Agent Relay is coherent, but registering it creates a standing webhook that lets other relay participants send messages that wake and influence your agent.

Install only if you trust the relay and the other instances on the team. Use a dedicated low-privilege agent/webhook token, treat inbound relay messages as untrusted requests rather than commands, require confirmation for impactful actions, avoid sending secrets, and make sure you know how to disable or rotate the webhook credentials.

Findings (5)

Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.

Medium

#ASI07: Insecure Inter-Agent Communication

What this means

A trusted or compromised relay participant could cause your agent to process remote content, potentially influencing tool use or decisions.

Why it was flagged

This documents remote agent-to-agent activation, but the artifacts do not define clear sender identity checks, permissions, or data boundaries for inbound messages.

Skill content

Once registered, any message sent to your instance will automatically trigger your agent via the webhook.

Recommendation

Use only with a trusted relay and trusted team token; restrict the webhook to a dedicated low-privilege agent, validate senders, and require user approval before acting on remote messages.

Medium

#ASI10: Rogue Agents

What this means

The relay can keep waking the agent after setup, including when the user is not actively requesting a relay action.

Why it was flagged

The setup creates durable remote activation of the agent after a one-time registration, and the provided instructions do not show revocation, expiry, or runtime approval controls.

Skill content

No persistent connections required. Just register your webhook once and forget about it.

Recommendation

Document and use a clear disable/unregister path, rotate webhook tokens, monitor inbound relay events, and avoid connecting high-privilege agents.

Low

#ASI03: Identity and Privilege Abuse

What this means

If these tokens are exposed or shared too broadly, someone could publish relay messages or invoke the registered agent webhook.

Why it was flagged

The relay workflow uses a bearer team token and sends an OpenClaw hook token to the relay, which is expected for this integration but grants meaningful authority.

Skill content

-H "Authorization: Bearer $RELAY_TEAM_TOKEN" ... "token": "your-openclaw-hooks-token"

Recommendation

Store tokens only in secrets, use dedicated low-privilege tokens, rotate them regularly, and avoid putting them in logs or shared command history.

Low

#ASI06: Memory and Context Poisoning

What this means

Sensitive message contents may persist on the relay, and stale or malicious queued messages could later influence the receiving agent.

Why it was flagged

Messages may be stored by the relay for up to seven days and later delivered into an agent's context.

Skill content

offline  message queued (7-day TTL) + webhook fired

Recommendation

Do not send secrets through the relay unless the relay is trusted and appropriately protected; consider self-hosting and clearing queues when needed.

Low

#ASI04: Agentic Supply Chain Vulnerabilities

What this means

Users have less provenance information for the relay they are trusting with messages and webhook credentials.

Why it was flagged

The registry metadata does not provide a source or homepage for the skill, even though the relay service is central to message and token handling.

Skill content

Source: unknown; Homepage: none

Recommendation

Verify the relay implementation and operator before use; prefer a reviewed self-hosted deployment or a trusted service with clear security documentation.