ClawHub
Skill flagged — suspicious patterns detected

ClawHub Security flagged this skill as suspicious. Review the scan results before using.

Perkoon Transfer

v2.0.1

The agent data layer. Perkoon moves files between agents and the physical world — agent to human, agent to agent, agent to pipeline. P2P over WebRTC. Free. E...

0· 349·1 current·1 all-time
byPerkoon@alex-vy
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
VirusTotalVirusTotal
Suspicious
View report →
OpenClawOpenClaw
Benign
high confidence
Purpose & Capability
Name/description (P2P file transfer over WebRTC, agent-to-agent/human/pipeline) aligns with required binary (node) and the declared node package install (perkoon). No unrelated credentials, config paths, or unexpected binaries are requested.
Instruction Scope
SKILL.md instructs the agent to run CLI commands that create /tmp logs, start background processes, and share perkoon.com URLs—all within the stated file-transfer scope. It explicitly tells the agent to confirm file paths with the user and avoid sensitive directories, which is good. Note: the logs written to /tmp may contain JSON with filenames/session info, so those artifacts could expose metadata if not cleaned.
Install Mechanism
Install spec uses a Node/npm package (perkoon) which is appropriate for a Node-based CLI. This is a moderate-risk install type (npm packages execute code). The SKILL.md recommends using pinned npx invocations (e.g. perkoon@0.3.6 / @perkoon/mcp@0.1.3) to avoid dynamic fetching; the registry install metadata does not show a pinned version—this mismatch should be addressed (pin or review package before install). No downloads from arbitrary URLs or extract-from-unknown-host operations are present.
Credentials
No environment variables, secrets, or unrelated service credentials are requested. Node is the only required binary. This is proportionate to the described functionality.
Persistence & Privilege
The skill is not always-on and does not request system-wide config changes or credentials. Autonomous invocation is allowed (platform default) but not combined with other red flags here.
Assessment
This skill appears coherent for P2P file transfers. Before installing: 1) Prefer a pinned package version (the README recommends pinned npx usage); ensure the platform installer uses a pinned, reviewed version rather than pulling 'latest' from npm. 2) Understand npx/npm-run will fetch and execute remote code—review the perkoon package contents and author on the registry if you need stronger assurance. 3) Be aware temporary logs (/tmp/perkoon-*.log) may include filenames or session metadata; clear or restrict access if that matters. 4) Only allow the agent to send files after explicit user confirmation (the instructions require this, but verify your agent enforces it). 5) Use the CLI's --password option for sensitive transfers and verify signaling behavior (perkoon.com links likely handle signaling; confirm whether any metadata is relayed to the server). If you need more assurance, ask the skill author for a reproducible, pinned release and a link to the package source (GitHub repo or release) to audit before installation.

Like a lobster shell, security has layers — review code before you run it.

latestvk97188tm368dmkh4sy6sbhqd3s83bbsc

License

MIT-0
Free to use, modify, and redistribute. No attribution required.
Termshttps://spdx.org/licenses/MIT-0.html

Runtime requirements

Clawdis
Binsnode

Install

Install Perkoon CLI
Bins: perkoon
npm i -g perkoon

Comments