ClawHub

Yggdrasil

v0.1.3

Diagnose Yggdrasil installation and daemon status for IPv6 P2P connectivity. Use when P2P fails, user asks about connectivity, or Yggdrasil needs to be insta...

0· 283·0 current·0 all-time
byYilin@jing-yilin
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
VirusTotalVirusTotal
Benign
View report →
OpenClawOpenClaw
Benign
medium confidence
Purpose & Capability
The name/description (diagnose Yggdrasil, help install/start daemon) matches the SKILL.md and references/install.md content. The Node install spec (@resciencelab/declaw) plausibly provides the gateway plugin the instructions expect; no unrelated services or credentials are requested.
Instruction Scope
Instructions legitimately cover checking for the yggdrasil binary, installing it, setting network capabilities (setcap/CAP_NET_ADMIN or running as root), and restarting the gateway. They ask the agent/operator to run system-level commands and to add apt repos. This is expected for a network/daemon helper, but the guidance includes piping a downloaded GPG key into sudo apt-key add and adding an HTTP apt repo — both are operationally sensitive and should be executed only after verifying source integrity.
Install Mechanism
Install uses a Node package (@resciencelab/declaw) — a reasonable, traceable registry artifact — plus standard platform package commands and GitHub releases for manual installs. This is moderate risk (installing third-party packages). The apt repo URL in the instructions is served over HTTP (not HTTPS) which could be subject to MITM if used; the curl|sudo apt-key add pattern is also high-privilege and should be treated cautiously.
Credentials
The skill requests no environment variables, secrets, or config paths. The elevated privileges it references (CAP_NET_ADMIN, running installers with sudo) are required by Yggdrasil to create TUN interfaces and are proportional to the stated purpose.
Persistence & Privilege
always:false and normal model-invocation settings. The SKILL.md says the plugin/gateway will detect and start the daemon — expected behavior for a plugin managing a network daemon. There is no request to modify other skills or system-wide agent configs beyond starting the daemon.
Scan Findings in Context
[no_regex_findings] expected: Scanner found no code to analyze because this is an instruction-only skill (SKILL.md + references). That is expected, but it means the npm package (@resciencelab/declaw) and any code it installs were not inspected.
Assessment
This skill appears to do what it says: help install and diagnose Yggdrasil. Before installing: (1) review the Node package @resciencelab/declaw (its npm page or GitHub) to ensure you trust it, since the skill's runtime behavior depends on that package; (2) when running install commands, avoid blindly piping remote content into sudo — download and inspect GPG keys and package sources first; (3) note the apt repo in the instructions uses HTTP — prefer HTTPS or verify package signatures to avoid MITM risk; (4) the skill requires elevated privileges to create network interfaces (CAP_NET_ADMIN/root) — apply least privilege and run these steps on machines you control. If you want higher assurance, provide the package name and version so you or a reviewer can audit its code before installing.

Like a lobster shell, security has layers — review code before you run it.

latestvk97e56b0xvtqkfmg19tf43749n82739r

License

MIT-0
Free to use, modify, and redistribute. No attribution required.
Termshttps://spdx.org/licenses/MIT-0.html

Runtime requirements

🌐 Clawdis

Install

Nodenpm i -g @resciencelab/declaw

Comments