Skill
v0.4.0Discover, name, and manage OpenClaw instances on your LAN. Scan for AI agents, check status, set aliases, resolve .claw names, and get connection URLs via th...
⭐ 0· 354·0 current·0 all-time
Security Scan
OpenClaw
Benign
high confidencePurpose & Capability
The skill and SKILL.md consistently describe querying a local clawnexus daemon (localhost:17890) to list, inspect, scan, alias, resolve, and build connection URLs. Requiring curl in the SKILL.md examples is reasonable; the packaged code uses fetch and an optional CLAWNEXUS_API env var to target the daemon.
Instruction Scope
Runtime instructions only instruct contacting the local daemon endpoints and running/starting the clawnexus daemon (npm install -g clawnexus; clawnexus start). The only potentially sensitive runtime action is POST /scan (which triggers a network scan) — this is within the declared purpose (discovering instances). Instructions do not ask the agent to read unrelated files or external secrets.
Install Mechanism
No install spec is provided (instruction-only). The repository includes a Node package (normal for a skill); there are no downloads from untrusted URLs or extract actions. The README notes installing the separate clawnexus daemon via npm, which is standard but requires user privilege to install globally.
Credentials
The registry metadata lists no required env vars, but the code and README accept an optional CLAWNEXUS_API environment variable (defaults to http://localhost:17890). This is reasonable, but it's a declared override that could redirect the skill to a different API URL if set — users should ensure CLAWNEXUS_API points to a trusted local daemon.
Persistence & Privilege
always is false (no forced inclusion). The skill will make network calls (fetch/curl) to the configured API; because autonomous invocation is allowed by default, an agent could call the local daemon automatically. This is expected for a discovery/management skill but increases scope if you don't trust the daemon or the skill's invocation context.
Assessment
This skill appears to do what it claims: it talks to a local ClawNexus daemon to discover and manage OpenClaw instances. Before installing or enabling it, ensure you trust the clawnexus daemon you will run (npm install -g clawnexus) and the GitHub project on the skill homepage. Note the skill will call http://localhost:17890 by default — the CLAWNEXUS_API env var can override that, so keep it pointing at a trusted daemon. Be aware that calling the /scan endpoint triggers LAN scanning (intended behavior for discovery); if you do not want automated network scans or want to restrict the skill's actions, avoid granting the agent autonomous invocation or keep the daemon offline when not needed.dist/index.js:6
Environment variable access combined with network send.
src/index.ts:4
Environment variable access combined with network send.
Confirmed safe by external scanners
Static analysis detected API credential-access patterns, but both VirusTotal and OpenClaw confirmed this skill is safe. These patterns are common in legitimate API integration skills.Like a lobster shell, security has layers — review code before you run it.
Runtime requirements
🦞 Clawdis
Binscurl
latest
ClawNexus
Overview
ClawNexus is a naming and discovery layer for OpenClaw. It runs a local daemon that automatically discovers OpenClaw instances on your network and assigns them readable names, so you can refer to instances by alias (e.g., "home") instead of IP addresses.
Works across networks too — instances can register .claw names (like home.alan.id.claw) and connect via encrypted relay from anywhere.
Prerequisites
# Install and start the daemon
npm install -g clawnexus
clawnexus start
When NOT to Use
- Daemon not running → tell the user to run
clawnexus startfirst - User only has one OpenClaw instance and doesn't need discovery
- Cross-internet connections without a
.clawname (use local LAN only)
Commands
List all known instances
curl -s http://localhost:17890/instances | jq '.instances[] | {name: (.alias // .auto_name), status, address}'
Check a specific instance (by alias, auto_name, or address:port)
curl -s http://localhost:17890/instances/home
curl -s http://localhost:17890/instances/olivia
curl -s http://localhost:17890/instances/192.168.1.10:18789
Scan the local network for OpenClaw instances
curl -s -X POST http://localhost:17890/scan
Set a friendly alias for an instance
curl -s -X PUT http://localhost:17890/instances/olivia/alias \
-H "Content-Type: application/json" \
-d '{"alias": "home"}'
Get the WebSocket URL to connect to an instance
# Get address and port, then build URL
curl -s http://localhost:17890/instances/home | jq '"ws://\(.address):\(.gateway_port)"'
Check daemon health
curl -s http://localhost:17890/health
Resolve a .claw name (Registry, requires internet + v0.2+)
curl -s http://localhost:17890/resolve/myagent.id.claw
Workflow: "Is home online?"
- Check instances:
curl -s http://localhost:17890/instances - Look for alias "home" in the response
- If
status: "online"→ confirm to user - If not found → suggest scanning:
curl -X POST http://localhost:17890/scan
Workflow: "Connect me to raspi"
- Resolve:
curl -s http://localhost:17890/instances/raspi - Build URL:
ws://<address>:<gateway_port> - Report URL to user for use with OpenClaw's gateway connect
Troubleshooting
- "Connection refused" on localhost:17890 → The ClawNexus daemon is not running. Tell the user to run
clawnexus start. - No instances found → The daemon may have just started. Run
curl -s -X POST http://localhost:17890/scanto trigger a network scan, then retry listing. - Instance shows
status: "offline"→ The OpenClaw gateway on that machine may be stopped. The instance was previously discovered but is not currently reachable.
Notes
- Instance identifiers accept:
alias,auto_name,display_name,agent_id, IP address, oraddress:port auto_nameis derived from the hostname (e.g., hostname "Olivia" → auto_name "olivia")is_self: trueinstances are the local machine (address127.0.0.1); useful for health checks- The daemon persists registry to
~/.clawnexus/registry.json
Comments
Loading comments...