agentrelay
SuspiciousAudited by ClawScan on May 10, 2026.
Overview
AgentRelay is a coherent inter-agent relay tool, but crafted relay messages can make agents act automatically and can point them at local files outside the intended relay storage.
Install only if you need agent-to-agent relay behavior and can control which agents send AgentRelay messages. Before using it with sensitive data, add or require path containment checks, sender authentication, explicit approval for payload tasks, and regular cleanup of stored relay files and logs.
Findings (4)
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
A crafted AgentRelay message could cause the agent to read an unintended local JSON file and expose its contents to the agent workflow.
The relay pointer comes from the received message, but the resolver accepts absolute or relative paths outside the storage alias and reads the resulting file without containment checks.
def resolve_alias(ptr: str, storage_root: Path, alias: str = "s") -> Path:
if ptr.startswith(f"{alias}/"):
return storage_root / ptr[len(alias)+1:]
return Path(ptr)
...
file_path = resolve_alias(ptr, STORAGE_PATH, STORAGE_ALIAS)
with open(file_path, 'r', encoding='utf-8') as f:
data = json.load(f)Require pointers to use the storage alias, normalize and resolve paths, reject absolute paths and '..' traversal, and verify the resolved path remains under the AgentRelay storage directory before reading or deleting anything.
Another agent or crafted message could redirect the receiving agent into performing a task simply by using the AgentRelay prefix and payload format.
The skill makes message trigger phrases and file payload contents authoritative instructions for the receiving agent, with no clear approval gate or task boundary.
When you see these keywords, **immediately execute the Commands below**! ... **Step 2: Understand Task and Execute** Check the `content` field to understand what needs to be done
Require explicit user or policy approval before executing payload tasks, restrict acceptable task types, and treat relay file contents as untrusted input rather than direct instructions.
Relay participants may trust spoofable metadata or a shared file secret as if it proved agent identity or authorization.
The documented verification proves that the file was read, but it does not authenticate the real sender identity, receiver authority, or whether the requested task should be trusted.
Secret Code Verification 1. Sender generates 6-character random code 2. Secret is written to file 3. Receiver must return the same Secret in CMP 4. Sender verifies Secret matches
Add sender/receiver identity validation using platform-provided session identity, bind secrets to authenticated senders, and reject messages from untrusted or unexpected agents.
Relay payloads and routing metadata may remain on disk after the conversation, which can matter if messages contain sensitive task data.
The skill intentionally keeps persistent logs and also stores event files and registry data for relay verification and cleanup.
All operations automatically logged to: ~/.openclaw/data/agentrelay/logs/transactions_YYYYMMDD.jsonl Each record contains: - timestamp, event_id, type, status - sender, receiver (real agent IDs) - next_action_plan
Avoid sending secrets or private documents through the relay unless needed, use short TTLs or burn-on-read for sensitive payloads, and run the cleanup command regularly.