ClawHub

Agent Relay

AdvisoryAudited by Static analysis on Apr 30, 2026.

Overview

No suspicious patterns detected.

Findings (0)

Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.

Concern
ASI07: Insecure Inter-Agent Communication
What this means

A trusted or compromised relay participant could cause your agent to process remote content, potentially influencing tool use or decisions.

Why it was flagged

This documents remote agent-to-agent activation, but the artifacts do not define clear sender identity checks, permissions, or data boundaries for inbound messages.

Skill content
Once registered, any message sent to your instance will automatically trigger your agent via the webhook.
Recommendation

Use only with a trusted relay and trusted team token; restrict the webhook to a dedicated low-privilege agent, validate senders, and require user approval before acting on remote messages.

Concern
ASI10: Rogue Agents
What this means

The relay can keep waking the agent after setup, including when the user is not actively requesting a relay action.

Why it was flagged

The setup creates durable remote activation of the agent after a one-time registration, and the provided instructions do not show revocation, expiry, or runtime approval controls.

Skill content
No persistent connections required. Just register your webhook once and forget about it.
Recommendation

Document and use a clear disable/unregister path, rotate webhook tokens, monitor inbound relay events, and avoid connecting high-privilege agents.

Note
ASI03: Identity and Privilege Abuse
What this means

If these tokens are exposed or shared too broadly, someone could publish relay messages or invoke the registered agent webhook.

Why it was flagged

The relay workflow uses a bearer team token and sends an OpenClaw hook token to the relay, which is expected for this integration but grants meaningful authority.

Skill content
-H "Authorization: Bearer $RELAY_TEAM_TOKEN" ... "token": "your-openclaw-hooks-token"
Recommendation

Store tokens only in secrets, use dedicated low-privilege tokens, rotate them regularly, and avoid putting them in logs or shared command history.

Note
ASI06: Memory and Context Poisoning
What this means

Sensitive message contents may persist on the relay, and stale or malicious queued messages could later influence the receiving agent.

Why it was flagged

Messages may be stored by the relay for up to seven days and later delivered into an agent's context.

Skill content
offline  message queued (7-day TTL) + webhook fired
Recommendation

Do not send secrets through the relay unless the relay is trusted and appropriately protected; consider self-hosting and clearing queues when needed.

Note
ASI04: Agentic Supply Chain Vulnerabilities
What this means

Users have less provenance information for the relay they are trusting with messages and webhook credentials.

Why it was flagged

The registry metadata does not provide a source or homepage for the skill, even though the relay service is central to message and token handling.

Skill content
Source: unknown; Homepage: none
Recommendation

Verify the relay implementation and operator before use; prefer a reviewed self-hosted deployment or a trusted service with clear security documentation.