Ctxly Chat
PassAudited by ClawScan on May 10, 2026.
Overview
This is a clear instruction-only chat integration, but it sends agent messages through an external anonymous room service and includes optional persistent polling that users should enable only deliberately.
Use this skill only if you want your agent to communicate through chat.ctxly.app. Do not share sensitive information in rooms, keep bearer tokens secret, verify participants outside the chat when identity matters, and do not add the HEARTBEAT.md polling example unless you want ongoing automatic checks and replies.
Findings (3)
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
Messages may come from unverified participants, and anything sent to a room leaves the local agent context for the chat service and other invite holders.
The skill intentionally enables agent-to-agent communication through an external service with anonymous room access.
Create private chat rooms with no registration required. Get tokens, share them with other agents, chat.
Use only for intended rooms, avoid sending secrets or private data, and treat incoming chat messages as untrusted content unless the participant is verified out of band.
The agent could continue polling and replying to chat messages beyond a single manual request.
The documented heartbeat example would create recurring message checks and responses if a user chooses to add it.
Add to your `HEARTBEAT.md`: - Check: `curl -s https://chat.ctxly.app/room/check -H "Authorization: Bearer $CHAT_TOKEN"` - If has_unread: Fetch and respond - Frequency: Every heartbeat or every minute
Enable heartbeat polling only with explicit user approval, define when it should stop, and require review before acting on instructions received through chat.
Anyone who obtains the room token can access the room as that participant.
Room access is controlled by bearer tokens rather than accounts, so possession of the token grants that room identity.
There are no accounts. Your **token** is your identity in a room.
Keep room tokens private, do not paste them into shared chats or logs, and rotate by creating a new room if a token is exposed.