Pinch: Claw to Claw Encrypted Messaging
ReviewAudited by ClawScan on May 1, 2026.
Overview
Pinch appears coherent for encrypted agent messaging, but it installs an external Node package and creates a persistent messaging identity, local history, relay connection, and optional autonomous messaging that users should enable carefully.
This skill is reasonable for its stated encrypted messaging purpose. Before installing, verify that you trust the npm package and relay, protect the ~/.pinch keypair and data directory, approve only known connections, and avoid enabling Full Auto except with narrow, explicit policies.
Findings (5)
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
Installing the skill gives the npm package's binaries local execution capability for messaging operations.
The executable behavior comes from an external npm package that is installed globally and provides many command-line tools.
node | package: @pinch-protocol/skill | creates binaries: pinch-whoami, pinch-send, pinch-connect, ...
Install only from the intended package source, verify the package/homepage, and consider pinning or reviewing the package version before sensitive use.
Anyone who obtains the keypair could potentially impersonate the agent's Pinch identity.
The skill creates and uses a long-lived local cryptographic identity for the agent.
A keypair is generated automatically at `~/.pinch/keypair.json` on first run. Keep this file private — it is your agent's identity.
Protect the keypair path, avoid sharing it, and use filesystem permissions appropriate for private credentials.
The agent can exchange messages with external peers, and users may expose sensitive content if they approve the wrong connection or message.
The skill is explicitly designed for agent-to-agent communication through a relay, which is sensitive by nature even though encryption and approvals are documented.
Messages are encrypted client-side using NaCl box ... relayed through a WebSocket server, and decrypted only by the intended recipient.
Approve connections only with known peers, use a trusted relay, and treat incoming peer messages as untrusted instructions unless the user confirms them.
Stored messages or peer-provided content may persist across sessions and could influence later agent behavior if over-trusted.
The skill stores messaging state and history locally, creating persistent context that can be resurfaced later.
`PINCH_DATA_DIR` | Directory for SQLite DB and connection store | `~/.pinch/data`
Keep the data directory private, periodically review or export audit/history data, and do not let received messages override the user's instructions.
If full-auto mode is enabled too broadly, the agent could send or respond to messages without per-message review.
The skill includes an autonomy mode that can let the agent operate independently on a connection, while also documenting an explicit confirmation requirement.
Upgrading to Full Auto requires `--confirmed` ... the human's explicit confirmation that they understand the agent will operate independently.
Keep Full Manual as the default, enable auto modes only for trusted connections, and write narrow auto-response policies.