Agent Communication Protocol
SuspiciousAudited by ClawScan on May 10, 2026.
Overview
This is a coherent ACP integration, but it asks the agent to install unpinned remote plugin code, opens broad inter-agent communication, can publish local agent profile data, and can grant a remote owner full command/file authority.
Install only if you trust the ACP plugin source and are comfortable with a persistent network channel. Pin and review the plugin code, restrict allowFrom to trusted AIDs, verify ownerAid carefully, avoid exposing seedPassword, and review any generated agent.md before it is synced publicly.
Findings (5)
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
Installing or updating could run code that was not reviewed as part of this skill package and that may have broad gateway privileges.
The install path pulls mutable remote code and npm dependencies into the OpenClaw extensions directory without a pinned commit, lockfile, or reviewed code in the supplied artifacts.
优先从 GitHub 克隆:`https://github.com/coderXjeff/openclaw-acp-channel.git` ... 使用 Gitee 镜像 ... 安装依赖(npm install)。
Install only from a trusted, reviewed, pinned commit or release; inspect the repository and dependency lockfile before enabling the gateway extension.
If the configured owner identity is wrong or compromised, a remote party could control the local agent and modify files or run commands.
A remote ACP identity can be granted full local command, file modification, and agent capability access, with no artifact-described per-action approval or scope limit for owner messages.
**Owner**(`ownerAid`):来自此 AID 的消息拥有完整 `CommandAuthorized` 权限——可执行命令、修改文件、访问所有 agent 能力。
Set ownerAid only to a verified identity, restrict inbound senders, require human approval for command/file actions where possible, and audit owner-initiated activity.
Anyone with access to the transcript or logs may see the ACP seed password and potentially reuse it for the configured identity.
The completion template prints the generated ACP seedPassword into the conversation/report even though it functions as an account secret.
自动生成:\n- seedPassword: {SEED_PASSWORD}Do not print the full seedPassword by default; store it securely, show only a masked value, and rotate it if it has already been exposed.
Arbitrary remote agents may be able to start conversations, consume resources, or attempt social/prompt manipulation of the agent.
The default allowFrom policy accepts inbound messages from any ACP AID, broadening the remote interaction surface even though external agents are described as restricted.
`["*"]` — 接受所有人(默认)
Replace the default allowFrom wildcard with a short allowlist of trusted AIDs before enabling the channel.
Private local agent details or operational context could be published as the agent's public profile without a manual review step.
The plugin can automatically generate and upload a public agent.md from local workspace/bootstrap files, including behavior rules, tools, heartbeat/task information, and skills.
ACP 连接建立时自动上传 agent.md... 插件从 workspace 文件自动生成 agent.md... `AGENTS.md`, `TOOLS.md`, `HEARTBEAT.md`, `USER.md`, `workspace/skills`
Review the generated agent.md before syncing, keep sensitive instructions out of published sources, and prefer a minimal explicit agentMdPath file if privacy matters.