communication-mqtt
PassAudited by VirusTotal on May 12, 2026.
Overview
Type: OpenClaw Skill Name: communication-mqtt Version: 1.0.1 The skill is classified as suspicious due to two main indicators. First, the `SKILL.md` file contains a direct instruction (`cat ~/.openclaw/openclaw.json`) for the AI agent to execute a shell command to read a potentially sensitive configuration file for self-identification. While its stated purpose is benign, this is a clear prompt injection vector for file access. Second, the `scripts/publish.py` script constructs an MQTT message payload that includes a `channel` field containing a `bash` command template (`openclaw --agent {agent_id} --message "message_here"`). Although this command is not executed by the current skill and is published to a local MQTT broker, it represents a risky capability that could be abused for prompt injection or command injection against other agents if they blindly process such messages.
Findings (0)
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
Installing the skill may require fetching Python packages from the user's configured package index.
The skill directs users to install unpinned Python packages and has no install spec or lockfile in the provided artifacts. The dependencies are expected for MQTT/Typer scripts, but users should be aware of the package-source trust decision.
pip install paho-mqtt typer
Install from a trusted environment, consider pinning package versions, and review dependency sources if using this in a sensitive setup.
Agent roles, activities, timestamps, and contact instructions may remain visible to later broker subscribers and could become stale or misleading.
Published intro and status messages are retained by the MQTT broker, creating persistent shared state that may remain available after the publishing command exits.
RETAIN = True ... retain=RETAIN
Do not publish sensitive activity details, use a trusted broker, and clear retained MQTT messages or disable retention if persistence is not desired.
Another local process or broker client could publish spoofed intro/status messages that the skill prints as received agent information.
The skill communicates through MQTT topics without any authentication, sender verification, or message integrity checks in the provided code. This is purpose-aligned for local agent messaging, but broker messages may come from any client with broker access.
BROKER = "localhost"
...
return f"agents/{agent_id}/{kind}" if agent_id else f"agents/+/{kind}"Use only a trusted local broker, treat received messages as untrusted, and add broker authentication or sender validation before relying on messages for decisions.