ClawChat - P2P Agent Communication
PassAudited by VirusTotal on May 12, 2026.
Overview
Type: OpenClaw Skill Name: Developer: Version: Description: OpenClaw Agent Skill Suspicious High-Entropy/Eval files: 30 The skill is classified as suspicious due to a potential prompt injection vector against the OpenClaw agent and a path traversal vulnerability in an example script. The `src/daemon/server.ts` file's `triggerOpenclawWake` function executes `openclaw system event` with incoming message content directly embedded in the `--text` argument, which could be exploited by a malicious peer to inject harmful instructions into the receiving AI agent's prompt. Additionally, the `skills/clawchat/examples/example-handle-poll-response.sh` script demonstrates parsing message content to construct a file path (`POLL_FILE=$(echo "$POLL_MSG" | cut -d: -f3)`), which is vulnerable to path traversal if the message content is untrusted. While the skill includes explicit warnings about insecure practices in example scripts and implements ACLs, these risky capabilities without clear malicious intent warrant a suspicious classification.
Findings (0)
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
Installing it can run and expose code from the cloned repository and its npm dependencies on the local machine.
The skill asks the user to install from a GitHub repository and npm dependency tree, then globally link the CLI; this is disclosed and aligned with a CLI tool, but it is outside a managed install spec.
git clone https://github.com/alexrudloff/clawchat.git cd clawchat npm install && npm run build && npm link
Install only from the intended repository or a reviewed commit, check package-lock changes, and consider local/npx use instead of global linking if desired.
Anyone who obtains the seed phrase, password file, or decrypted private keys could impersonate that ClawChat identity.
The CLI creates and displays a seed phrase for the user’s messaging identity; this is expected for the Stacks-based identity design, but the seed and password protect impersonation-sensitive identity material.
mnemonic: id.mnemonic, // IMPORTANT: User must back this up!
Store seed phrases and password files securely, avoid passing passwords on the command line, and keep ~/.clawchat permissions restricted.
A trusted or misconfigured peer could send messages that influence the local agent’s next actions or attention.
The skill is designed to receive messages from other machines and can wake the local agent with incoming peer content; this is disclosed and purpose-aligned, but remote messages should not be treated as inherently trusted.
OpenClaw Native — Built for OpenClaw with `openclawWake` support (incoming messages wake your agent)
Enable wake only for identities that need it, restrict allowed peers where possible, and treat all received peer messages as untrusted instructions unless separately verified.
If wake is enabled, incoming peer messages may cause local OpenClaw notifications or agent wakeups without a separate per-message confirmation.
The daemon invokes the local OpenClaw CLI to generate wake events. This matches the documented wake feature, but it bridges network-originated messages into a local agent event mechanism.
const result = spawnSync('openclaw', ['system', 'event', '--text', wakeMessage, '--mode', mode], {Keep wake disabled for untrusted identities, use peer ACLs, and ensure wake messages are clearly labeled as remote peer content.
The process can keep listening for peers and retrying queued messages after initial setup, and optional launchd instructions can make it start on login.
The skill intentionally uses a background daemon for P2P connectivity and message retry; this is disclosed and user-directed, not hidden rogue behavior.
The daemon runs in the background, managing connections and message queues for all loaded identities.
Use `clawchat daemon status` and `clawchat daemon stop` to monitor or stop it, and only install the launchd service if persistent operation is desired.