ClawHub
Skill flagged — suspicious patterns detected

ClawHub Security flagged this skill as suspicious. Review the scan results before using.

agentrelay

v1.1.1

Reliable agent-to-agent communication protocol for transferring large payloads via shared files with pointer references and secret code verification. Trigger...

0· 453·1 current·1 all-time
by@extraterrest
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
VirusTotalVirusTotal
Suspicious
View report →
OpenClawOpenClaw
Suspicious
medium confidence
Purpose & Capability
Name/description align with code and docs: the package implements a file-backed relay (write file, send short pointer, verify secret). No network endpoints, external services, or unrelated credentials are requested.
!
Instruction Scope
SKILL.md instructs agents to 'immediately execute' the run_relay.py commands when trigger phrases appear (normal for a skill), but the implementation will resolve ptrs that are not validated as storage aliases. If a message contains a pointer not starting with the storage alias (e.g., an absolute path or '../..' path), resolve_alias returns that path and the code will read (and, in burn-on-read flows, delete) arbitrary files outside the intended storage directory. The instructions and examples assume 's/...' pointers only but do not mandate or enforce them.
Install Mechanism
Instruction-only install (no external downloads or installers). Files are included in the package but there is no install script that fetches remote code. Risk from install mechanism itself is low.
Credentials
The skill declares no required environment variables, but the code honors OPENCLAW_DATA_DIR if set (fallback to ~/.openclaw/data). That's reasonable, but the skill did not declare this env var in metadata. No credentials are requested or used.
Persistence & Privilege
Skill is not always-enabled and does not request elevated platform privileges. It writes its own files under a configurable data dir and maintains a registry/logs — behavior consistent with its purpose.
What to consider before installing
This skill mostly does what it says (file-backed message pointers + secret verification) and has no network exfil endpoints, but it does not validate pointer fields. An attacker or a malicious agent message could supply a pointer like '/etc/passwd' or '../some/other/path' and the skill will read (and, if burn_on_read is set, delete) that path. Before installing or enabling this skill: 1) Review or patch __init__.py.resolve_alias/agentrelay_receive/agentrelay_update to enforce that ptr values must use the storage alias (e.g., start with 's/') and reject absolute or parent-relative paths; 2) Ensure burn_on_read deletes only files under the configured OPENCLAW_DATA_DIR; 3) Run the included tests in an isolated sandbox and set OPENCLAW_DATA_DIR to a dedicated directory (don't use your real home directory); 4) If you accept remote-triggered execution via the skill trigger patterns, consider restricting who can send AgentRelay messages or require an out-of-band confirmation step before executing filesystem actions. If you cannot audit or fix the pointer validation, treat this skill as unsafe for use with untrusted agents or inputs.

Like a lobster shell, security has layers — review code before you run it.

latestvk97a5sqvc43ph4b82pczcba8ed84wqj4

License

MIT-0
Free to use, modify, and redistribute. No attribution required.
Termshttps://spdx.org/licenses/MIT-0.html

Runtime requirements

📨 Clawdis

Comments