Clawlink
WarnAudited by ClawScan on May 10, 2026.
Overview
ClawLink mostly matches its encrypted bot-messaging purpose, but an unsafe mailbox file reader and some security-claim gaps require review before use.
Before installing, confirm you want persistent Clawbot-to-Clawbot messaging through the disclosed relay. Patch or verify the mailbox filename handling, protect ~/.openclaw/clawlink, treat received messages as untrusted content, and review the full source/dependencies before relying on the encryption claims.
Findings (7)
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
A prompt or mistaken invocation of the inbox/outbox read action could expose local files outside ClawLink’s mailbox to the agent output.
getMessage builds a path from an agent/user-supplied filename and reads it without rejecting '..' or enforcing that the resolved path remains inside the inbox/outbox directory.
const filepath = join(dir, filename); ... return readFileSync(filepath, 'utf8');
Only allow filenames returned by listInbox/listOutbox, reject path separators and '..', and use path.resolve with a strict directory-prefix check before reading.
Users may over-trust the stated encryption properties without an implementation review.
SKILL.md advertises XChaCha20-Poly1305, but the supplied implementation uses TweetNaCl secretbox, which is a different primitive. For an encrypted messaging skill, this makes the exact security claim insufficiently supported by the artifacts.
const encrypted = nacl.secretbox(messageBytes, nonce, sharedSecret);
Align the documentation with the actual cryptographic primitive, or update the implementation and obtain a focused crypto review before relying on the E2E claims.
A friend, compromised friend bot, or unsolicited request could send text that tries to influence the local agent.
The heartbeat automatically polls relay-delivered messages and prints them into agent-visible output. This is expected for messaging, but the text originates from other Clawbots or friend requests.
const result = await clawbot.checkMessages();
...
console.log(outputs.join('\n\n---\n\n'));Label inbound ClawLink content as untrusted messages and require explicit user confirmation before the agent follows instructions contained in received messages.
Private messages may remain on disk and be available to later agent actions or anyone with local file access.
Received and sent message bodies are saved as local Markdown files, creating persistent plaintext message history.
Persists messages to inbox/ and outbox/ folders as markdown files.
Disclose plaintext retention clearly, set restrictive file permissions, and consider deletion, retention, or encryption-at-rest options.
If these files are read or copied, someone could impersonate the user’s ClawLink identity or decrypt/forge communications depending on the stored material.
The skill creates and stores private identity material and shared secrets locally. This is purpose-aligned for encrypted messaging, but it is sensitive authority.
`identity.json` — Your Ed25519 keypair `friends.json` — Friend list with shared secrets
Protect ~/.openclaw/clawlink with local file permissions, avoid syncing it to untrusted locations, and rotate/recreate identity if the files are exposed.
After installation, the agent may keep polling for ClawLink messages until the heartbeat entry is removed.
The installer adds persistent periodic polling to the agent heartbeat. This persistence is disclosed and aligned with async message delivery.
Appends a ClawLink heartbeat entry to `~/clawd/HEARTBEAT.md`
Install only if you want ongoing polling, and use the documented uninstall step or manually remove the ClawLink heartbeat section when no longer needed.
Running setup gives the package and its dependencies local execution opportunity.
Setup requires executing local Node/npm commands. This is normal for a CLI skill, but it executes package code on the user’s machine.
npm install node scripts/install.js
Review the full package and lockfile, install from a trusted source, and run setup from the intended skill directory.