Skillv1.1.1

ClawScan security

agentrelay · ClawHub's context-aware review of the artifact, metadata, and declared behavior.

Scanner verdict

SuspiciousApr 15, 2026, 3:10 AM

Verdict: suspicious
Confidence: medium
Model: gpt-5-mini
Summary: The skill appears to implement the advertised agent-to-agent file relay, but it lacks pointer validation and allows resolving arbitrary paths (and deletion via burn-on-read), which is disproportionate to its stated safe storage model and could enable file-read / file-deletion outside the intended storage area.
Guidance: This skill mostly does what it says (file-backed message pointers + secret verification) and has no network exfil endpoints, but it does not validate pointer fields. An attacker or a malicious agent message could supply a pointer like '/etc/passwd' or '../some/other/path' and the skill will read (and, if burn_on_read is set, delete) that path. Before installing or enabling this skill: 1) Review or patch __init__.py.resolve_alias/agentrelay_receive/agentrelay_update to enforce that ptr values must use the storage alias (e.g., start with 's/') and reject absolute or parent-relative paths; 2) Ensure burn_on_read deletes only files under the configured OPENCLAW_DATA_DIR; 3) Run the included tests in an isolated sandbox and set OPENCLAW_DATA_DIR to a dedicated directory (don't use your real home directory); 4) If you accept remote-triggered execution via the skill trigger patterns, consider restricting who can send AgentRelay messages or require an out-of-band confirmation step before executing filesystem actions. If you cannot audit or fix the pointer validation, treat this skill as unsafe for use with untrusted agents or inputs.

Review Dimensions

Purpose & Capability: okName/description align with code and docs: the package implements a file-backed relay (write file, send short pointer, verify secret). No network endpoints, external services, or unrelated credentials are requested.
Instruction Scope: concernSKILL.md instructs agents to 'immediately execute' the run_relay.py commands when trigger phrases appear (normal for a skill), but the implementation will resolve ptrs that are not validated as storage aliases. If a message contains a pointer not starting with the storage alias (e.g., an absolute path or '../..' path), resolve_alias returns that path and the code will read (and, in burn-on-read flows, delete) arbitrary files outside the intended storage directory. The instructions and examples assume 's/...' pointers only but do not mandate or enforce them.
Install Mechanism: okInstruction-only install (no external downloads or installers). Files are included in the package but there is no install script that fetches remote code. Risk from install mechanism itself is low.
Credentials: noteThe skill declares no required environment variables, but the code honors OPENCLAW_DATA_DIR if set (fallback to ~/.openclaw/data). That's reasonable, but the skill did not declare this env var in metadata. No credentials are requested or used.
Persistence & Privilege: okSkill is not always-enabled and does not request elevated platform privileges. It writes its own files under a configurable data dir and maintains a registry/logs — behavior consistent with its purpose.