Skillv0.1.3

ClawScan security

Ipv6 P2p · ClawHub's context-aware review of the artifact, metadata, and declared behavior.

Scanner verdict

ReviewMar 3, 2026, 1:08 PM

Verdict: Review
Confidence: medium
Model: gpt-5-mini
Summary: The skill's stated P2P purpose is plausible, but the instructions ask the agent to run persistent network discovery/announcement, post to external bootstrap endpoints, and reference a node package installer that is not present in the registry install spec — these inconsistencies and unclear key/storage handling warrant caution.
Guidance: This skill intends to run a peer-discovery and P2P service that will contact external bootstrap endpoints, announce your agent's address/public key, and serve endpoints to peers. Before installing, ask the publisher these questions: (1) Will the '@resciencelab/declaw' Node package be installed automatically? If so, provide the exact install source (registry or GitHub release). (2) Where and how are Ed25519 keys generated, stored, and protected? Are persistent keys written to disk and to which path? (3) Which remote endpoints will be contacted (confirm the bootstrap URL and any fallback addresses) and can discovery/gossip be disabled or limited? (4) Does the agent open a listening port, and can you restrict or opt out of listening? If you cannot verify the package source and key/storage behavior, run this in an isolated environment or decline installation. Because the registry and SKILL.md disagree about installation, treat the skill as untrusted until the author clarifies those gaps.

Review Dimensions

Purpose & Capability: noteThe name/description (Yggdrasil/IPv6 P2P messaging) matches the instructions (peer discovery, signed messages, gossip). However SKILL.md contains an install metadata entry (node package "@resciencelab/declaw") while the registry manifest lists no install spec — mismatch between claimed runtime dependency and the registry. Also the skill implies it will sign messages with Ed25519 keys but does not declare where keys come from or how they are managed.
Instruction Scope: concernThe runtime instructions direct the agent to fetch a remote bootstrap list and POST /peer/announce to remote nodes, fan-out to other peers, run a periodic gossip loop, and serve /peer endpoints locally. Those actions will cause network traffic to external endpoints and can expose the agent's P2P address and public key. While these actions are expected for a P2P feature, the SKILL.md gives the agent broad discretion to announce and communicate with arbitrary peers and does not clarify consent, logging, or key storage — increasing the chance of unintended data leakage or persistent network activity.
Install Mechanism: concernNo install spec is present in the registry manifest (skill marked instruction-only), but SKILL.md includes install metadata pointing to a Node package (@resciencelab/declaw). This inconsistency is problematic: either the skill depends on an external package that won't be installed automatically, or an installation step is missing/undeclared. Both possibilities are a red flag because an undeclared install step could mean required code won't run or could be performed ad-hoc without clear review.
Credentials: noteThe skill requests no environment variables or credentials (good), but it requires Ed25519 signing and TOFU key caching. SKILL.md and references do not say how keys are generated, stored, or protected (no config paths declared). Absence of declared secrets is proportional to the stated purpose, but the missing key management details are a gap that should be clarified before trust.
Persistence & Privilege: concernThe skill describes running a startup announce and a periodic gossip loop (every 10 minutes) and serving HTTP endpoints. Although 'always' is false, the skill expects to maintain ongoing network presence and perform background announcements. Combined with autonomous model invocation being allowed, this increases the operational blast radius (periodic external network calls and listening on ports) and requires explicit user consent and clear operational controls that are not documented here.