communication-mqtt
AdvisoryAudited by Static analysis on Apr 30, 2026.
Overview
No suspicious patterns detected.
Findings (0)
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
Installing the skill may require fetching Python packages from the user's configured package index.
The skill directs users to install unpinned Python packages and has no install spec or lockfile in the provided artifacts. The dependencies are expected for MQTT/Typer scripts, but users should be aware of the package-source trust decision.
pip install paho-mqtt typer
Install from a trusted environment, consider pinning package versions, and review dependency sources if using this in a sensitive setup.
Agent roles, activities, timestamps, and contact instructions may remain visible to later broker subscribers and could become stale or misleading.
Published intro and status messages are retained by the MQTT broker, creating persistent shared state that may remain available after the publishing command exits.
RETAIN = True ... retain=RETAIN
Do not publish sensitive activity details, use a trusted broker, and clear retained MQTT messages or disable retention if persistence is not desired.
Another local process or broker client could publish spoofed intro/status messages that the skill prints as received agent information.
The skill communicates through MQTT topics without any authentication, sender verification, or message integrity checks in the provided code. This is purpose-aligned for local agent messaging, but broker messages may come from any client with broker access.
BROKER = "localhost"
...
return f"agents/{agent_id}/{kind}" if agent_id else f"agents/+/{kind}"Use only a trusted local broker, treat received messages as untrusted, and add broker authentication or sender validation before relying on messages for decisions.