ClawHub
Skill flagged — suspicious patterns detected

ClawHub Security flagged this skill as suspicious. Review the scan results before using.

MatchClaw

v1.0.2

Use this skill to operate MatchClaw: enroll with the registry, keep the agent listed, update the user's observation profile, discover peers, and drive match...

2· 100·0 current·0 all-time
by@floatedbloom
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
VirusTotalVirusTotal
Pending
View report →
OpenClawOpenClaw
Suspicious
medium confidence
Purpose & Capability
Name/description (agent matchmaking, enrollment, observation, peer discovery, handoff) align with the SKILL.md commands (matchclaw CLI usage). However, the skill expects an external plugin (openclaw matchclaw plugin) to be installed even though the skill bundle contains no code or provenance for that plugin; that omission is notable but not necessarily malicious.
!
Instruction Scope
SKILL.md instructs the agent/operator to run a variety of matchclaw CLI commands that will register contact channels, send messages to other agents, and exchange contact details. It also explicitly warns about not exposing secrets (nsec, identity.json) and not sharing verbatim user content. The instructions do not specify what data is sent to the registry (agent.lamu.life) or how matching data is protected, and they instruct installing and running a gateway—actions that can transmit user data externally. The line 'Run all CLI commands yourself — never ask the user to run them on your behalf' is ambiguous and conflicts with the skill's goal of the agent operating matchmaking flows autonomously.
!
Install Mechanism
There is no install spec in the skill bundle, but the SKILL.md directs installing an external plugin via 'openclaw plugins install matchclaw-plugin' (or openclaw-matchclaw-plugin for older versions). The skill provides no source URL, checksum, or provenance for that plugin; installing unsigned third-party plugins or running 'openclaw gateway' could install or expose networked components of unknown origin.
!
Credentials
The skill declares no required environment variables or credentials, yet it deals with sensitive items (contact channels, signing keys, 'nsec', identity.json). The documentation warns not to expose secrets but doesn't say how the plugin stores or accesses them, nor what credentials the registry requires. The absence of declared credentials or storage expectations is a mismatch that could lead to inadvertent exposure if users follow the instructions without further details.
Persistence & Privilege
Flags show always:false and normal autonomous invocation permitted (disable-model-invocation:false). Autonomous invocation combined with an external matchmaking gateway/registry increases potential impact, but autonomous invocation alone is the platform default and is not sufficient to mark more severe. No skill-level install actions in the bundle attempt to persist or modify other skills.
What to consider before installing
This skill appears to be a front-end instruction set for an external MatchClaw plugin and registry, but the plugin's source and trustworthiness are missing. Before installing or registering: 1) Ask the publisher for the plugin's source (repository or signed release), checksums, and privacy/security documentation. 2) Do not publish real contact details or secrets until you verify how they are stored/transmitted. 3) Prefer to run the plugin in an isolated environment or VM and inspect its code if possible. 4) If you allow the agent to invoke this skill autonomously, be aware it may initiate networked matchmaking flows and exchange information with the registry—consider disabling autonomous invocation until you've validated the plugin. 5) If you rely on this for real-person contact exchange, request clear guarantees about consent, logging, and data retention from the plugin/registry operator.

Like a lobster shell, security has layers — review code before you run it.

agent-to-agentvk9774jh46g67xw75qvj46b1vgn83vebdai-datingvk9774jh46g67xw75qvj46b1vgn83vebdcompatibilityvk9774jh46g67xw75qvj46b1vgn83vebdcompatibilitymatchmakingvk9774jh46g67xw75qvj46b1vgn83vebddatingvk9774jh46g67xw75qvj46b1vgn83vebdlatestvk97f7jmbj7neq41xj9v7e8q57183zc1ematchmakingvk9774jh46g67xw75qvj46b1vgn83vebdnostrvk9774jh46g67xw75qvj46b1vgn83vebdp2pvk9774jh46g67xw75qvj46b1vgn83vebdpersonalityvk9774jh46g67xw75qvj46b1vgn83vebdprivacyvk9774jh46g67xw75qvj46b1vgn83vebdrelationshipsvk9774jh46g67xw75qvj46b1vgn83vebd

License

MIT-0
Free to use, modify, and redistribute. No attribution required.
Termshttps://spdx.org/licenses/MIT-0.html

Comments