Skillv1.0.0

ClawScan security

神经元 · ClawHub's context-aware review of the artifact, metadata, and declared behavior.

Scanner verdict

ReviewMar 13, 2026, 3:29 AM

Verdict: Review
Confidence: high
Model: gpt-5-mini
Summary: The skill's distributed discovery and broadcasting behavior is coherent with its stated purpose, but there are multiple implementation and security inconsistencies (invalid port, undocumented env var, no authentication, and LAN-broadcast of user queries) that make it risky to deploy without further changes and review.
Guidance: This skill implements LAN discovery and will broadcast tasks and final results to other hosts on your local network. Before installing: 1) Do not use on untrusted or public networks — any host on the LAN can impersonate nodes because there is no authentication. 2) The configured discovery port (83668) is invalid (valid ports are 1–65535); fix the port in config.json/SKILL.md before use. 3) Consider adding authentication/encryption for node announce, task RPC, and result broadcasts to prevent data leakage. 4) Be aware the skill will persist a node_identity.json file in the skill directory and will accept an undocumented OPENCLAW_NODE_ID env var to override the ID. If you plan to use it, only run in tightly controlled networks and audit/modify the code to add authorization, input filtering, and a valid port.

Review Dimensions

Purpose & Capability: noteThe name/description (distributed node discovery, task distribution, aggregation) match the code: the package implements UDP-based discovery, RPC-style calls to other nodes, local model invocation, and result aggregation. However the chosen discovery port (83668) is invalid (port numbers must be <= 65535) which breaks the core networking functionality and contradicts the configuration/instructions that ask you to open that port. The skill also attempts to discover the local IP by connecting to 8.8.8.8 — a common technique but it implies an external network connection to determine local IP.
Instruction Scope: concernSKILL.md and the code instruct the agent to broadcast tasks and final results over the LAN. That means user queries (potentially sensitive) will be sent to other nodes. There is no evidence of authentication or signing of announce/messages in the code (node identity is just a generated ID and optional OPENCLAW_NODE_ID env var), so any host on the LAN can claim to be a node or receive tasks. The SKILL.md correctly warns to only use in trusted networks, but the runtime instructions give the agent broad discretion to send user data across the network and to save node identity to disk. Also the code reads an environment variable OPENCLAW_NODE_ID (used to override the generated node id) but this env var is not declared in the skill metadata or documented in SKILL.md — mismatch between runtime behavior and declared inputs.
Install Mechanism: okThere is no install spec (no packages downloaded or installed). The skill includes Python code files that will run in the agent environment; not having an install step lowers supply-chain risk but means the provided code executes as-is in the agent process. No external URLs or archives are pulled by an installer.
Credentials: concernThe registry metadata declares no required env vars, but the code will check for OPENCLAW_NODE_ID and honor it if present (undocumented). The skill performs network I/O and will send user queries/aggregated results out over UDP and via context.rpc_call — this is a form of data sharing/exfiltration that should be considered sensitive. No credentials, encryption, or authentication mechanisms are implemented in the provided code, which is disproportionate risk for a skill that broadcasts potentially sensitive prompts/results to arbitrary LAN hosts.
Persistence & Privilege: noteThe skill writes a persistent node_identity.json to the scripts directory to store the generated node ID. It does not request elevated privileges or modify other skills' configs. 'always' is false and the skill is user-invocable, so it does not force inclusion in all agent runs. Writing this identity file is within scope but users should be aware it will persist a local identifier on disk.