ClawNet

This skill appears to implement exactly what it claims: a QUIC-based P2P discovery and messaging daemon. Before installing, consider the following: - Network scanning: The tool includes an active scanner that will send UDP probes across arbitrary CIDR ranges (the code enforces a 1,048,576-IP upper bound). If you run the `scan`/`discover` commands or enable the daemon on a network-connected machine, you will be actively probing other hosts — this can be considered hostile on some networks and may trigger IDS/IPS alerts. - Daemon & autonomy: Running the daemon will bind to UDP port 19851, broadcast announcements, accept incoming QUIC connections, and persist identity/peer data in your user directories. If you allow the agent to invoke this skill autonomously, it could start network activity without an interactive prompt. Only enable autonomous invocation or the daemon if you trust the skill and network environment. - Build & provenance: The package is provided as source only and the SKILL metadata has no homepage or known owner reputation. Building compiles native code with several network libraries; verify the source (or audit the code) before building and running. Prefer building in a controlled environment and run first in an isolated network namespace or VM if you want to observe behavior safely. - Files & secrets: The identity secret is stored locally in your data dir. Ensure the file permissions on identity.key are restrictive (the code tries to set 0600 on Unix). If you plan to reuse this identity across environments, treat it like any secret. What would change this assessment: evidence of hidden network endpoints, exfiltration to unknown domains, or code that requests unrelated credentials would push this to 'suspicious' or 'malicious'. If you want a stricter verdict, provide the missing truncated source files or confirm whether any networking logic contacts third-party HTTP endpoints or embeds opaque keys/URLs.