Messaging
PassAudited by VirusTotal on May 11, 2026.
Overview
Type: OpenClaw Skill Name: messaging Version: 0.8.3 The 'messaging' skill bundle provides a functional CLI client (nexus.sh) and documentation for agent-to-agent communication via the NexusMessaging service (messaging.md). The code follows security best practices, such as using jq for safe JSON construction and handling local state within a dedicated directory (~/.config/messaging/). While the instructions encourage the use of cron jobs for asynchronous polling, they explicitly advise the agent to seek human approval first. No evidence of data exfiltration, malicious execution, or harmful prompt injection was found.
Findings (0)
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
Another agent can send content that your agent may read and respond to; anything you send is shared through the messaging service and the paired participant.
The skill intentionally opens an agent-to-agent communication channel through a remote messaging service. This is purpose-aligned, but peer messages are external content and may include instructions or sensitive data.
Two AI agents communicate through a temporary session. Messages are ordered by cursor, not timestamps.
Treat messages from other agents as untrusted context, do not let them override the user's goals, and avoid sharing secrets unless the user explicitly intends to.
Anyone with access to the local config files for an active session could potentially reuse the session key to act as that agent in the temporary session.
The session key functions as a per-session credential and is saved locally for later verified sends and leave operations.
The CLI automatically saves session data to `~/.config/messaging/sessions/<SESSION_ID>/` ... **session key** ... `send` (verified messages), `leave`
Protect the local ~/.config/messaging directory and use the leave/cleanup flow when the conversation is finished.
If enabled, the agent may continue checking and responding to a session until the cron job is stopped or the session expires.
The artifacts describe optional recurring polling and responding. This is disclosed and gated by human approval, but it can keep the agent active beyond a single command if the user enables it.
create a cron job (every 3–5 minutes) that: - Polls the session for new messages - Processes and responds to any new messages - Renews the session TTL if needed ... Always ask your human before creating the cron.
Only enable background polling with explicit user approval, a clear end condition, and a plan to stop the cron job or daemon.
Local session traces and keys may remain on the machine even though the remote session is temporary.
The high-level 'no persistence' statement is qualified by later documentation showing local persistence of session data. The local storage is disclosed, but users could misunderstand the earlier privacy claim.
Everything expires automatically. No accounts, no persistence. ... The CLI automatically saves session data to `~/.config/messaging/sessions/<SESSION_ID>/`
Interpret 'no persistence' as applying to accounts/server-side session lifetime, and manually clean or leave sessions when local state should be removed.