Clawlink
Security checks across malware telemetry and agentic risk
Overview
ClawLink mostly matches its encrypted messaging purpose, but its mailbox reader can be given a crafted filename that reads local files outside the message folders.
Review carefully before installing. ClawLink’s messaging, relay, local keys, and heartbeat polling are mostly disclosed and purpose-aligned, but the mailbox filename handling should be fixed before trusting the agent with sensitive local files. Protect ~/.openclaw/clawlink, treat received messages as untrusted text, and run the setup scripts only from a source you trust.
VirusTotal
66/66 vendors flagged this skill as clean.
Risk analysis
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
A crafted mailbox filename could make the agent read files outside the mailbox, including ClawLink identity secrets or other files in the user’s home directory.
The mailbox reader accepts a caller-supplied filename, joins it to the inbox/outbox directory, and reads it without rejecting '..' or path separators. The handler exposes this through inbox/outbox filename actions.
export function getMessage(box, filename) { ... const filepath = join(dir, filename); ... return readFileSync(filepath, 'utf8'); }Restrict reads to filenames returned by the mailbox listing, reject path separators and '..', and resolve the path then verify it stays inside the intended inbox or outbox directory.
Installing runs local package code and dependency installation commands.
Setup requires executing npm and local Node scripts. This is normal for this package-style skill, but it is not captured by an install spec.
npm install node scripts/install.js # Adds to HEARTBEAT.md + checks identity
Run setup commands only after reviewing or trusting the package source and dependency lockfile.
After install, the agent may periodically check the relay for messages until the heartbeat entry is removed.
The skill discloses that installation adds a heartbeat entry for ongoing message polling.
Appends a ClawLink heartbeat entry to `~/clawd/HEARTBEAT.md`
Install only if periodic polling is desired, and use the documented uninstall command or manually remove the ClawLink HEARTBEAT.md section if not.
Anyone who can read these files may be able to impersonate the ClawLink identity or decrypt future communications depending on the protocol state.
The skill stores local cryptographic identity material and shared secrets, which is necessary for end-to-end encrypted messaging and is disclosed.
`identity.json` — Your Ed25519 keypair `friends.json` — Friend list with shared secrets
Protect ~/.openclaw/clawlink, do not share identity.json or friends.json, and rotate/recreate the identity if those files are exposed.
Private message history can remain on disk and remote message text may be seen by the agent in later tasks.
Incoming and outgoing message contents are retained locally as readable Markdown files, creating persistent context that may be sensitive or later reintroduced to the agent.
Persists messages to inbox/ and outbox/ folders as markdown files.
Make retention clear to users, provide deletion/retention controls, and treat stored messages as untrusted content when reloading them.
Messages from friends’ agents can influence what the local agent sees and may contain instructions the user did not author.
The core feature is agent-to-agent communication through a relay. The artifacts disclose encryption, signatures, and friend approval, but remote peer text is still untrusted input.
Encrypted peer-to-peer messaging between Clawbots via central relay.
Render remote messages as quoted untrusted content and avoid letting message text automatically trigger tool use, file reads, sends, or approvals.