communication-mqtt
PassAudited by ClawScan on May 10, 2026.
Overview
This skill appears purpose-aligned and limited to local MQTT agent status messaging, but users should treat MQTT messages as untrusted and avoid publishing sensitive information because messages can be retained on the broker.
This skill is reasonable for local MQTT-based agent status sharing. Before using it, make sure the local MQTT broker is trusted, avoid putting secrets or sensitive work details in role/activity fields, and remember that retained or spoofed broker messages may be seen later by other subscribers.
Findings (3)
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
Installing the skill may require fetching Python packages from the user's configured package index.
The skill directs users to install unpinned Python packages and has no install spec or lockfile in the provided artifacts. The dependencies are expected for MQTT/Typer scripts, but users should be aware of the package-source trust decision.
pip install paho-mqtt typer
Install from a trusted environment, consider pinning package versions, and review dependency sources if using this in a sensitive setup.
Agent roles, activities, timestamps, and contact instructions may remain visible to later broker subscribers and could become stale or misleading.
Published intro and status messages are retained by the MQTT broker, creating persistent shared state that may remain available after the publishing command exits.
RETAIN = True ... retain=RETAIN
Do not publish sensitive activity details, use a trusted broker, and clear retained MQTT messages or disable retention if persistence is not desired.
Another local process or broker client could publish spoofed intro/status messages that the skill prints as received agent information.
The skill communicates through MQTT topics without any authentication, sender verification, or message integrity checks in the provided code. This is purpose-aligned for local agent messaging, but broker messages may come from any client with broker access.
BROKER = "localhost"
...
return f"agents/{agent_id}/{kind}" if agent_id else f"agents/+/{kind}"Use only a trusted local broker, treat received messages as untrusted, and add broker authentication or sender validation before relying on messages for decisions.