Skillv0.1.1

ClawScan security

AgentMesh · ClawHub's context-aware review of the artifact, metadata, and declared behavior.

Scanner verdict

SuspiciousFeb 26, 2026, 6:39 PM

Verdict: suspicious
Confidence: high
Model: gpt-5-mini
Summary: The package mostly implements what it claims (end-to-end encrypted agent messaging) but there are important mismatches and a substantive security/design issue (the network hub accepts unauthenticated registrations, enabling impersonation) that contradict the skill's claims about preventing impersonation.
Guidance: This project appears to implement an end-to-end encrypted agent messaging system and the code matches the documentation, but there are important security caveats to consider before installing or running it: - Registration is unauthenticated: the NetworkHubServer accepts REGISTER messages and stores whatever public bundle a client provides under the supplied agent_id. That means a malicious client can register as someone else (e.g., 'alice') and cause other agents to establish sessions to the attacker's keys — enabling impersonation and message interception. Do not run the NetworkHubServer on an untrusted or public network without adding authentication/authorization (e.g., challenge-response proof-of-possession, TLS client certs, API keys, or an authenticated admin control). - Binding to 0.0.0.0 is dangerous on public machines. If you run the hub, restrict it to a private network or use firewall rules and TLS/transport-level authentication. - Persistent private keys are written to disk when you use keypair_path. Store those files securely (correct filesystem permissions, encryption at rest) and never share them. - The SKILL.md suggests installing from GitHub (a well-known host) but the registry metadata shows 'Source: unknown / Homepage: none' — verify the upstream repository origin and review its commits before pip-installing remote code. - If you plan to use this in production, review and harden the hub: require authenticated registration (proof-of-possession of identity keys), add transport authentication and optional client authorization, and consider adding logging/monitoring and rate-limiting. Given the unauthenticated registration behavior that directly contradicts the claimed 'no-impersonation' guarantee, treat the skill as suspicious until you or the package maintainer addresses hub authentication and documents deployment security recommendations.

Review Dimensions

Purpose & Capability: concernThe code implements an encrypted agent messaging system consistent with the README/SKILL.md; however the README claims 'Impersonation impossible' / per-message Ed25519 authentication, but the NetworkHubServer accepts REGISTER requests without authenticating the registering party. An attacker can register any agent_id with a public bundle they control and thereby cause other agents to derive sessions to the attacker's keys, enabling impersonation. This contradicts the stated security guarantees.
Instruction Scope: concernSKILL.md and examples instruct running a hub server (python -m agentmesh.hub_server --host 0.0.0.0) and using NetworkHub across machines. The runtime instructions do not mention any authentication or access controls for the hub server. The instructions and code together therefore permit starting an unauthenticated TCP broker bound to 0.0.0.0 that will accept registrations from arbitrary peers — broader scope than the SKILL.md's security claims imply.
Install Mechanism: noteRegistry metadata lists 'No install spec (instruction-only)', yet the package includes full source files and SKILL.md recommends pip installing from GitHub (a well-known host). The recommended install URL (github.com/cerbug45/AgentMesh) is a common release host, but the registry's 'Source: unknown / Homepage: none' is inconsistent with the docs and should be verified before installing.
Credentials: okThe skill requests no environment variables, no credentials, and no special config paths. Example code mentions replacing a mock LLM call with a real API (requiring keys) but that is optional example code and not required by the package.
Persistence & Privilege: noteThe skill does not request always: true and is user-invocable. Running the NetworkHubServer opens a TCP listener (default 7700, often bound to 0.0.0.0 in examples) — this is expected for a broker but is a privilege: if started on an exposed interface it can accept remote agent registrations and traffic. The package writes persistent key files if the user opts into keypair_path; users are warned in docs to store private keys securely.