Skillv0.1.0

ClawScan security

ClawNet · ClawHub's context-aware review of the artifact, metadata, and declared behavior.

Scanner verdict

BenignFeb 14, 2026, 3:19 PM

Verdict: benign
Confidence: medium
Model: gpt-5-mini
Summary: The skill is internally consistent with its stated purpose (QUIC-based P2P discovery and direct messaging); however it includes active network-scanning and daemon behaviors that could be abused, so exercise caution before enabling autonomous or long-running runs.
Guidance: This skill appears to implement exactly what it claims: a QUIC-based P2P discovery and messaging daemon. Before installing, consider the following: - Network scanning: The tool includes an active scanner that will send UDP probes across arbitrary CIDR ranges (the code enforces a 1,048,576-IP upper bound). If you run the `scan`/`discover` commands or enable the daemon on a network-connected machine, you will be actively probing other hosts — this can be considered hostile on some networks and may trigger IDS/IPS alerts. - Daemon & autonomy: Running the daemon will bind to UDP port 19851, broadcast announcements, accept incoming QUIC connections, and persist identity/peer data in your user directories. If you allow the agent to invoke this skill autonomously, it could start network activity without an interactive prompt. Only enable autonomous invocation or the daemon if you trust the skill and network environment. - Build & provenance: The package is provided as source only and the SKILL metadata has no homepage or known owner reputation. Building compiles native code with several network libraries; verify the source (or audit the code) before building and running. Prefer building in a controlled environment and run first in an isolated network namespace or VM if you want to observe behavior safely. - Files & secrets: The identity secret is stored locally in your data dir. Ensure the file permissions on identity.key are restrictive (the code tries to set 0600 on Unix). If you plan to reuse this identity across environments, treat it like any secret. What would change this assessment: evidence of hidden network endpoints, exfiltration to unknown domains, or code that requests unrelated credentials would push this to 'suspicious' or 'malicious'. If you want a stricter verdict, provide the missing truncated source files or confirm whether any networking logic contacts third-party HTTP endpoints or embeds opaque keys/URLs.

Review Dimensions

Purpose & Capability: noteThe name/description (P2P discovery + NAT traversal + direct messaging) matches the code and runtime instructions: it builds a Rust binary that uses iroh/iroh-gossip for QUIC-based gossip, announces presence, accepts direct QUIC streams, and stores identity/peer/friend state. The only notable capability that may surprise users is an integrated network scanner that can probe arbitrary CIDR ranges (bounded by MAX_SCAN_IPS ~1,048,576) and will auto-insert discovered peers into the local peer store. There are no unrelated required environment variables or unexpected binaries.
Instruction Scope: noteSKILL.md instructs to build and run the CLI and documents commands (discover, announce, daemon, scan, connect, send, chat). The instructions and code read/write config and identity files under the user's config/data dirs as expected. They also include instructions to run a continuous daemon and to perform potentially large network scans; these instructions remain within the claimed scope but expand behavior from passive discovery to active wide-area probing.
Install Mechanism: okThis is an instruction-only skill with full Rust source included; the declared build step is `cargo build --release`. No external ad-hoc downloads or URL-based installers are present. Building will compile crates from crates.io (iroh, iroh-gossip, reqwest, etc.), which is expected for a Rust networked tool and is moderate-risk only because it results in native binaries that will run network code.
Credentials: okThe skill requests no environment variables or external credentials. It generates and stores a local Ed25519 secret (identity.key) in the user's data directory and persists peer/friends/config files in standard user locations. That storage is appropriate for the stated functionality and no unrelated secrets are requested.
Persistence & Privilege: noteThe skill does not force always=true and uses normal autonomous invocation defaults. It writes local config/identity/peer/friends files and can bind to UDP on the user machine (well-known discovery port 19851) and run a long-lived daemon that periodically broadcasts announcements and listens for probes. That persistence is coherent with the purpose but combined with the scanner/daemon features increases the potential blast radius if the agent is allowed to run autonomously or the daemon is left enabled.