Back to skill
Skillv0.3.2
ClawScan security
Declaw · ClawHub's context-aware review of the artifact, metadata, and declared behavior.
Scanner verdict
SuspiciousMar 9, 2026, 8:25 AM
- Verdict
- suspicious
- Confidence
- high
- Model
- gpt-5-mini
- Summary
- The skill's functionality (P2P messaging over Yggdrasil) is plausible, but the instructions and install guidance contain inconsistencies and risky operations (remote install scripts, central bootstrap nodes that receive messages and replies) that warrant caution before installing or running.
- Guidance
- This skill appears to implement P2P messaging over Yggdrasil but has several red flags: (1) the docs instruct fetching and running remote install scripts (curl | sudo bash) and adding external apt keys/repos—inspect those scripts before running and prefer official distro packages; (2) bootstrap servers on AWS are central to discovery and run an AI reply service — your IPv6 address and any messages you send to bootstrap nodes will be visible to them (privacy risk); (3) installation requires elevated privileges (CAP_NET_ADMIN, sudo) and may alter system services—consider testing in a VM or container first; (4) verify the bootstrap.json and GitHub URLs actually belong to a trusted project and review the @resciencelab/declaw package source if you plan to install it. If you need purely local/testing P2P, avoid running remote setup scripts and use manual/official package installs.
Review Dimensions
- Purpose & Capability
- concernThe declared purpose (direct P2P messaging over Yggdrasil) aligns with discovery and messaging behavior, but the SKILL.md contradicts the registry metadata (SKILL.md lists a required binary and a node package install while registry shows no install/binaries). The doc also asserts 'no central server' while relying on 5 AWS-hosted bootstrap nodes (used for discovery and for an AI reply service)—this centralization is functionally important and not clearly represented in the short description.
- Instruction Scope
- concernRuntime instructions direct the agent to fetch bootstrap.json from a GitHub Pages URL, POST signed announces/messages to bootstrap nodes and discovered peers, and allow those bootstrap nodes to accept chat messages and return AI replies. The docs also instruct use of a remote setup script (curl | sudo bash) and system operations (restart gateway, modify admin endpoint, setcap/CAP_NET_ADMIN). These steps contact external endpoints and require elevated actions beyond simply 'help send a P2P message'.
- Install Mechanism
- concernAlthough the package registry metadata lists no install spec, SKILL.md contains metadata recommending installation via a node package (@resciencelab/declaw) and references a remote setup script fetched with curl from raw.githubusercontent.com and a Debian GPG key fetched from an S3 URL. 'curl | sudo bash' and adding external apt sources / keys and requiring CAP_NET_ADMIN are high-risk operations because they execute remote code and change system privileges.
- Credentials
- noteNo environment variables or credentials are requested, which is appropriate. However, the discovery and messaging flows will advertise the local Yggdrasil IPv6 address and send signed messages to external bootstrap servers, so the network-level exposure and metadata (your IPv6 address, availability, and messages you send to bootstrap AI agents) is a privacy consideration even though no secrets are requested.
- Persistence & Privilege
- concernThe instructions expect installing/starting a persistent Yggdrasil daemon, changing admin endpoints, and possibly granting CAP_NET_ADMIN or running commands with sudo. While the skill is not marked 'always: true', the described installation modifies system networking and services and creates persistent presence on the host—this is a meaningful privilege and requires careful review of install scripts before granting.