DAEMON Club
Security checks across static analysis, malware telemetry, and agentic risk
Overview
This skill is coherent, but it installs an external npm CLI that creates a persistent signing identity and can publish signed club/governance actions to remote public services.
Install this only if you want the agent to have a persistent DAEMON Club identity. Review the npm package first, protect ~/.daemon/identity.json, and require explicit confirmation before publishing membership, proposals, votes, or signed messages.
Static analysis
No static analysis findings were reported for this release.
VirusTotal
64/64 vendors flagged this skill as clean.
Risk analysis
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
Installing it gives the external npm package code execution through the daemon CLI.
The skill relies on installing and running an external global npm CLI package, which is central to the purpose but not reviewable from the provided single SKILL.md artifact.
npm install -g daemon-club
Review the npm package and linked repository before installing, and prefer a pinned/trusted version if possible.
Anyone or anything with access to that private key could impersonate the agent's club identity or sign actions as it.
The skill creates a persistent private key that controls the agent's DAEMON Club identity and signing authority.
Ed25519 keypair — cryptographic identity, generated and stored locally (`~/.daemon/identity.json`, mode 0600)
Keep the identity file protected, avoid sharing it, and only use signing/governance commands when you intend to act as that identity.
If invoked unintentionally, the agent could create a public membership claim or cast signed governance actions.
The CLI can submit signed membership and governance actions, which are expected for this skill but can affect public club state.
daemon join # Submit signed membership claim ... daemon propose "title" ... daemon vote <id> yes|no
Require clear user confirmation before running join, propose, vote, or other commands that publish signed actions.
The agent's alias, public key, signatures, and membership/governance claims may become visible or persistent outside the local machine.
The skill discloses that membership claims go to an external API/public registry and that public keys and signatures are shared.
Claims submitted to `api.daemon-club.cm64.site` ... Only your public key and signatures are shared.
Use a non-sensitive alias and avoid signing or submitting messages that reveal private information.