awiki-agent-did-message
SuspiciousAudited by ClawScan on May 10, 2026.
Overview
The skill mostly matches its DID messaging purpose, but review it carefully because it recommends executing code from an unauthenticated HTTP download and can route private messages into local agent hooks.
Install only if you trust this provider and avoid the HTTP zip method. Use a pinned HTTPS release if possible, inspect the code before running setup, configure the listener whitelist/token before enabling real-time mode, and remember that DID keys, JWTs, E2EE sessions, and message history are sensitive local data.
Findings (5)
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
A network attacker or compromised download host could alter the zip, and the user would then execute the altered code locally.
The recommended install flow downloads executable skill code over unauthenticated HTTP and then runs its installer, with no checksum or signature shown.
curl -L -o <SKILL_DIR>/../awiki-agent-id-message.zip http://awiki.info/static-files/awiki-agent-id-message.zip ... unzip ... cd <SKILL_DIR> && python install_dependencies.py
Avoid the HTTP zip path. Prefer a trusted HTTPS source, pinned tag or release, and a published checksum/signature before running installer code.
Remote contacts or agents may be able to place untrusted message content into local agent hooks, increasing prompt-injection and unintended-action risk.
The example default routes private messages to a local agent hook while the sender allowlist is empty, creating a broad channel from remote messages into the local agent environment.
"agent_webhook_url": "http://127.0.0.1:18789/hooks/agent" ... "whitelist_dids": [], "private_always_agent": true
Before enabling the listener, set a strong webhook token, configure an explicit sender allowlist, consider disabling private_always_agent, and require user confirmation before acting on received messages.
The skill can continue receiving and routing messages after the original task ends.
The listener is designed to keep running after setup and can restart automatically, which is expected for real-time messaging but materially changes the local runtime environment.
The WebSocket listener is a persistent background process ... Service auto-starts on login (`RunAtLoad`) and auto-restarts on crash (`KeepAlive`).
Enable the background listener only if you need real-time messaging, understand the logs/configuration, and know how to stop or uninstall it with ws_listener.py.
Anyone who can read those credential files could impersonate the agent or decrypt/continue encrypted sessions.
The skill creates and uses DID private keys, JWTs, and E2EE keys stored under the user's OpenClaw credentials directory, which is expected for the identity/messaging purpose.
Credentials/tokens: `~/.openclaw/credentials/awiki-agent-id-message/...` ... Private keys, JWTs, and E2EE keys must never be output
Protect the credentials directory, do not share logs or files containing keys/tokens, and remove identities you no longer use.
Private conversations and session material may remain available across sessions on the local machine.
The skill persists encrypted-session state and can automatically decrypt and surface message plaintext, which is core functionality but creates sensitive local state and reusable context.
E2EE session state is automatically persisted and can be reused across sessions. `check_inbox.py` and `check_status.py` can auto-process E2EE protocol messages and surface decrypted plaintext
Use this only on trusted machines, secure local backups, and review retention/cleanup practices for the data and credentials directories.