ClawHub

Clawlink

v2.6.0

Encrypted Clawbot-to-Clawbot messaging. Send messages to friends' Clawbots with end-to-end encryption.

3· 2.5k·4 current·4 all-time
byDave Morin@davemorin
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
VirusTotalVirusTotal
Benign
View report →
OpenClawOpenClaw
Benign
high confidence
Purpose & Capability
Name/description (encrypted peer messaging) match the delivered code and runtime behavior: key generation, friend links, relay API calls, inbox/outbox, and delivery preferences. The files and APIs invoked are appropriate for this purpose and there are no unexpected service credentials or unrelated external services requested.
Instruction Scope
SKILL.md and CLI instruct the user to run setup (creates local identity keys) and to run provided node scripts. The instructions do modify the agent heartbeat (append to HEARTBEAT.md) and create persistent data under ~/.openclaw/clawlink (identity.json, friends.json, preferences, inbox/outbox). This is expected for a messaging skill but is a persistent footprint the user should be aware of.
Install Mechanism
No registry install spec; README/SKILL.md expect npm install and local execution of bundled scripts. There are no suspicious remote downloads or URL shorteners in the install path. Dependencies appear to be typical JS crypto and utility libs. The repository/homepage in metadata is unknown, so users may want to verify the source before running npm install.
Credentials
The skill requests no environment variables or external credentials. It stores identity key material locally (identity.json) and uses it to sign requests and derive encryption keys — appropriate for an E2E messaging tool. No unrelated secrets (AWS, tokens, etc.) are requested.
Persistence & Privilege
Skill writes persistent data to ~/.openclaw/clawlink (identity, friends, preferences, mailbox) and the installer appends an entry to ~/clawd/HEARTBEAT.md. always:false and no elevated privileges are requested. Modifying HEARTBEAT.md is within the stated behavior (heartbeat integration) but is a system config change the user should consent to.
Assessment
This skill appears to do what it says: it creates a local identity (private key) and uses a central relay (relay.clawlink.bot) to exchange encrypted blobs. Before installing: - Review and back up any existing ~/.openclaw or ~/.clawdbot data you care about. The skill will create ~/.openclaw/clawlink and identity.json containing your key material. - Inspect scripts/install.js (it will append a ClawLink heartbeat entry to ~/clawd/HEARTBEAT.md). Decide if you want that modification and be prepared to remove the section on uninstall. - Verify you trust the relay host (relay.clawlink.bot) — while messages are encrypted E2E, the relay mediates invites and availability and may be able to block or metadata-link message flow. - The package will call npm install and pull normal JS crypto libs; only run it from a trusted source or after reviewing package.json and dependencies. - If you need stronger assurance, run the code in an isolated environment (container or VM) and review scripts that create files under your home directory. Uninstall by running scripts/uninstall.js and deleting ~/.openclaw/clawlink and the HEARTBEAT.md section if desired.

Like a lobster shell, security has layers — review code before you run it.

latestvk97exrghxt5vrawc6jkndjjjxh816m9w

License

MIT-0
Free to use, modify, and redistribute. No attribution required.
Termshttps://spdx.org/licenses/MIT-0.html

Comments