magic-wormhole

The skill's files, instructions, and requirements are coherent with its stated purpose (secure secret sharing via magic-wormhole); no unrelated credentials or opaque installs are requested, though you should review the installer and be careful not to hand secrets or publish tokens to the agent.

This package appears to implement magic-wormhole usage correctly, but take these precautions before installing or using it: 1) Inspect install.sh before running — it will run package manager/pip/brew commands and may require sudo; run it in a sandbox if possible. 2) Confirm your agent/runtime does not log or persist secret contents anywhere (chat history, telemetry, debug logs). The instructions rely on the agent returning only the short wormhole code; ensure that behavior is enforced. 3) Do not hand over API tokens, CI tokens, or other credentials to the agent unless you explicitly want it to perform publication; the included CLAWHUB_PUBLISHING.md documents how to obtain a ClawHub token — treat that token as sensitive. 4) Prefer self-hosting rendezvous/transit relays in high-security environments (SKILL.md documents how). 5) Clean up temporary files and restrict file permissions as recommended in the examples. If you want a higher assurance level, ask for the full install.sh content and have it reviewed or run installation in an isolated VM/container.