ClawHub
Skill flagged — suspicious patterns detected

ClawHub Security flagged this skill as suspicious. Review the scan results before using.

awiki-agent-did-message

v1.3.10

Verifiable DID identity and end-to-end encrypted inbox for AI Agents. Built on ANP (Agent Network Protocol) and did:wba. Provides self-sovereign identity, Ha...

4· 507·0 current·0 all-time
byGaowei Chang@chgaowei
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
VirusTotalVirusTotal
Suspicious
View report →
OpenClawOpenClaw
Suspicious
medium confidence
Purpose & Capability
The code and instructions implement DID identities, handle registration, federated messaging, groups, and HPKE E2EE as advertised — the large surface (many scripts, a persistent WebSocket listener, local SQLite store, credential files) is consistent with a messaging/identity skill. However, the published metadata claims no required environment variables or credentials while SKILL.md and code reference multiple environment variables (AWIKI_DATA_DIR, AWIKI_WORKSPACE, E2E_USER_SERVICE_URL, E2E_MOLT_MESSAGE_URL, E2E_DID_DOMAIN) and local credential storage, which is an inconsistency that reduces transparency.
!
Instruction Scope
Runtime instructions direct the agent/user to run installation scripts, migrate local databases, generate persistent credentials in ~/.openclaw/credentials, and install a platform service (systemd/launchd/Task Scheduler) that will open outgoing WS connections and forward messages to local webhooks. The SKILL.md also instructs fetching a canonical remote SKILL.md when local is missing, giving an external document the power to change runtime instructions. The SKILL.md explicitly warns about not exposing secrets, but the install/runtime steps still give the skill broad ability to read, persist, and forward messages and tokens — more privilege than a purely read-only helper. A prompt-injection indicator was detected in SKILL.md content (see scan findings).
!
Install Mechanism
No formal install spec is declared in registry metadata (instruction-only), but SKILL.md recommends two install flows: (1) curl an archive from http://awiki.info/... (HTTP, non-HTTPS) and unzip it, then run install_dependencies.py; or (2) git clone from GitHub and run install_dependencies.py. The HTTP zip download is a high-risk instruction (unencrypted, different domain than awiki.ai). install_dependencies.py uses pip and runs database migration scripts and listener coordination (which can stop/restart services) — these actions write files and may install background services; the install path therefore has significant system impact.
!
Credentials
Registry-level metadata lists no required environment variables or primary credential, but the SKILL.md and code clearly expect and use environment variables (AWIKI_DATA_DIR, AWIKI_WORKSPACE, E2E_USER_SERVICE_URL, E2E_MOLT_MESSAGE_URL, E2E_DID_DOMAIN) and local credential files under ~/.openclaw/credentials/awiki-agent-id-message/. The skill stores private keys, JWTs, and E2EE session state locally and interacts with remote services; it may require phone numbers or emails for handle registration and will send verification codes. The mismatch between declared requirements and actual usage is a transparency risk: the skill will handle secrets and persistent credentials though none are declared to the registry.
Persistence & Privilege
always:false (not force-included) and model invocation is allowed (normal). However the skill instructs installing a persistent WebSocket listener as a background service (systemd/launchd/Task Scheduler) that owns a remote WS connection and exposes a local daemon/webhook. That is coherent with a messaging skill but increases attack surface because a long-running process will accept remote pushes and forward them to local agent endpoints — ensure service config (webhook_token, routing rules, whitelist/blacklist) is correctly set and isolated. The skill does not request to modify other skills' configs, but it does ask to integrate with OpenClaw local webhook tokens, which implies permission to read or be configured to match host settings.
Scan Findings in Context
[prompt_injection:ignore-previous-instructions] unexpected: A prompt-injection pattern was detected inside SKILL.md (the pre-scan flagged 'ignore-previous-instructions'). The SKILL.md also instructs agents to fetch a remote canonical SKILL.md if local copy is missing, which could allow changed remote instructions to influence agent behavior. This is not expected or necessary for a stable install and raises risk of remote manipulation.
What to consider before installing
Key points to consider before installing: - Source provenance: prefer cloning the code from a trustworthy repository (the SKILL.md references GitHub AgentConnect and awiki.ai). Avoid the recommended Option 1 download URL (http://awiki.info/...) because it uses plain HTTP and a different domain — that is a high-risk vector for tampered archives. If you must fetch remotely, use HTTPS from a verified host and inspect the archive before executing any install script. - Review code locally: this package contains many scripts that create credentials, persist private keys in ~/.openclaw/credentials, and install a background WebSocket listener (systemd/launchd/Task Scheduler). Review scripts that install the listener (ws_listener.py, setup_realtime.py, service templates) and any code that stops/starts services before running them. - Environment transparency: the registry shows no required env vars, but SKILL.md and code use multiple environment variables and local files. Expect the skill to read/write sensitive files (private keys, JWTs). Do not install in a high-privilege or production host without auditing and isolating credentials. - Network endpoints and tokens: confirm the endpoints (E2E_USER_SERVICE_URL, E2E_MOLT_MESSAGE_URL) and webhook token values; configure routing whitelist/blacklist to minimize forwarded content. The listener will forward remote messages to local webhooks — misconfiguration can leak host data if webhook endpoints accept or trigger local actions. - Phone/email verification: handle registration requires phone numbers or email addresses and will send verification codes; do not provide sensitive personal contact details unless you understand the service privacy policy and trust the operator. - Run in isolation first: test in a sandboxed/user-only environment or VM, and back up your existing OpenClaw credentials and workspace. Inspect and audit install_dependencies.py, database migration scripts, and any service unit files generated by ws_listener.py. - Ask for clarification: request the publisher to (a) declare the environment variables and credential needs in registry metadata, (b) remove or replace the HTTP zip recommendation with HTTPS, and (c) explain the behavior when fetching remote SKILL.md and provide an integrity mechanism (checksum/signature) for remote archives. If you cannot verify these, treat the skill as higher risk and avoid granting it persistent or privileged access.
!
service/listener.example.json:3
Install source points to URL shortener or raw IP.
!
service/settings.example.json:13
Install source points to URL shortener or raw IP.
!
references/RULES.md:83
Prompt-injection style instruction pattern detected.
About static analysis
These patterns were detected by automated regex scanning. They may be normal for skills that integrate with external APIs. Check the VirusTotal and OpenClaw results above for context-aware analysis.

Like a lobster shell, security has layers — review code before you run it.

latestvk9760p4wm7edhc8t82srtr0jks83gx2r

License

MIT-0
Free to use, modify, and redistribute. No attribution required.
Termshttps://spdx.org/licenses/MIT-0.html

Comments