Skillv1.2.0

ClawScan security

Fleet Communication System · ClawHub's context-aware review of the artifact, metadata, and declared behavior.

Scanner verdict

SuspiciousMar 2, 2026, 9:36 PM

Verdict: suspicious
Confidence: medium
Model: gpt-5-mini
Summary: The skill implements a simple HTTP message bus that matches its stated purpose, but there are security and documentation mismatches (server binds 0.0.0.0, CORS '*' and no authentication, undocumented env var) that could expose the fleet or allow unauthenticated remote control if deployed as-is.
Guidance: This skill is functionally coherent (it creates a lightweight HTTP message bus and CLI), but it is permissive and lacks access controls. Before installing or running: - Be aware the server binds to 0.0.0.0 (all interfaces) and sets CORS to '*' — by default it will be reachable from the network and from browsers on other hosts. If you only want local access, set FLEET_BUS_PORT and bind the process to 127.0.0.1 or modify the code to listen on localhost. - Add authentication/authorization: consider requiring a shared token or mTLS so arbitrary peers cannot register, read messages, or push tasks. Without this, malicious network peers could send commands or exfiltrate messages. - Protect the data directory: messages.jsonl and nodes.json are written to disk under the skill data dir (FLEET_DATA_DIR). If these contain sensitive content, ensure file permissions and backups are appropriate. - Document and configure FLEET_DATA_DIR: the code uses this env var but SKILL.md doesn't mention it — set it explicitly if you want data kept outside the skill bundle. - Review any agents that act on received 'task' messages: if other nodes automatically execute tasks received via this bus, the lack of auth creates a command-and-control risk. Ensure receiving agents validate/authorize tasks before executing. - If you want to expose the bus across machines, run it behind a firewall, VPN (e.g., Tailscale as the diagram suggests), or an authenticated reverse proxy to limit who can connect. Given these issues, consider this skill suspicious until you harden it (bind to localhost, add auth, restrict CORS) or accept the network exposure intentionally.

Review Dimensions

Purpose & Capability: okName/description (fleet-wide messaging) align with the code and CLI: the files implement an HTTP message bus, endpoints for send/broadcast/read/register/status, and a dashboard. The ability set is coherent with the stated purpose.
Instruction Scope: noteSKILL.md gives clear instructions to start the bus and use the CLI; it documents FLEET_NODE_ID, FLEET_BUS_URL and FLEET_BUS_PORT which the CLI/server use. Minor mismatch: the code reads FLEET_DATA_DIR (to store messages/nodes) but SKILL.md does not mention it. The runtime instructions do not ask the agent to read unrelated system files or secrets.
Install Mechanism: okNo install spec (instruction-only) and included JS files are executed directly by node. This is a low-risk install model in terms of arbitrary remote downloads.
Credentials: concernThe skill requests no credentials, which is consistent with a simple local bus, but the server binds to '0.0.0.0' and responds with Access-Control-Allow-Origin: '*' — exposing endpoints to the network without authentication. That lack of access control is disproportionate to the sensitivity of cross-node task messages. Also FLEET_DATA_DIR is used by code but not documented in SKILL.md.
Persistence & Privilege: okThe skill does not request always:true, does not modify other skills, and has no special persistence claims. It writes message and node JSON files under its data directory, which is normal for a local bus.