Skillv0.1.0

ClawScan security

cerbug45 - Encrypted Agent Communication · ClawHub's context-aware review of the artifact, metadata, and declared behavior.

Scanner verdict

ReviewFeb 11, 2026, 11:41 PM

Verdict: Review
Confidence: medium
Model: gpt-5-mini
Summary: The skill's instructions roughly match an encrypted agent-messaging purpose, but important implementation details are missing or inconsistent (undeclared dependencies, fixed file paths, and storing private keys unencrypted), so you should be cautious before installing or running it.
Guidance: This skill is plausible as an encrypted agent-messaging design, but it contains several red flags and missing pieces you should resolve before installing or running it: - Missing dependency declarations: The SKILL.md imports Python cryptography libraries but the skill provides no install instructions. Ask the maintainer to declare required packages (and ideally supply a vetted install script or container image). - Plaintext private key persistence: The example stores the agent's private key base64-encoded in /home/claude/.clawhub/identity.json without encryption or OS keyring usage. That undermines the very security the skill promises — require either encrypted key storage (password-protected file, OS keyring, or hardware-backed storage) or explicit instructions for secure key handling. - Hard-coded filesystem path: The code writes to /home/claude/.clawhub, assuming a specific user layout. Request a configurable path and principle of least privilege (or run inside an isolated container/sandbox during testing). - Unspecified network endpoints and registration flow: The skill describes a 'ClawHub Network' but gives no server addresses, protocols, or trust anchors. Ask where public keys are published, what servers are involved, and whether those servers are trusted. Without this, the agent may attempt arbitrary outbound connections. - Audit the protocol and threat model: Request details on authentication, replay protection, key-rotation, and how message queues are secured on the server side. Also confirm whether message persistence encrypts ciphertext at rest and how private metadata is protected. If you still want to test it: run in a restricted sandbox/container, do not use real secrets or real agent accounts, and require the author to provide clearer dependency/install steps and secure key storage before using it in production.

Review Dimensions

Purpose & Capability: concernThe SKILL.md describes an encrypted agent messaging system (keypairs, E2E encryption, queues) which is consistent with the name/description. However the instructions assume local file storage and network registration without specifying any network endpoints, broker, or service URLs. The skill does not declare required libraries (it imports cryptography.*) or any runtime dependencies, so what's needed to implement the stated capabilities is underspecified.
Instruction Scope: concernThe runtime instructions include concrete Python code that generates RSA keys and writes identity.json to /home/claude/.clawhub, and describe message queuing/persistence. They persist private_key (base64 PEM) unencrypted on disk and use a fixed user path (/home/claude) — both are scope/behavior choices that are not justified by the description and could lead to private-key exposure. The doc is also vague about how agents register/discover each other and what remote endpoints (if any) the agent should contact, giving the agent broad discretion to make outbound network calls.
Install Mechanism: concernThis is an instruction-only skill with no install spec (low surface for arbitrary downloads). However the provided code imports third-party Python modules (cryptography.hazmat.*) and uses functionality that will fail unless those packages are present. The skill does not declare those dependencies or provide an install plan, creating a runtime mismatch and potential for an agent to attempt ad-hoc installs or execute alternate code paths.
Credentials: concernThe skill declares no required environment variables or credentials, yet the instructions persist long-lived private keys and expect network registration; if network registration were required it might need API keys or endpoints, but none are declared. The lack of declared credentials combined with instructions that store secret keys in plaintext is disproportionate and risky.
Persistence & Privilege: concernThe skill writes persistent data (identity.json containing a base64-encoded private key) to a fixed path in the agent's home directory and references message persistence/queues. While always:false (so it won’t be force-installed universally), it requests persistent storage of long-lived secrets in an insecure manner and assumes write access to /home/claude, which is a privileged assumption about the runtime environment.