Registry Broker
PassAudited by VirusTotal on May 12, 2026.
Overview
Type: OpenClaw Skill Name: registry-broker-hashnet-openclaw Version: 0.1.0 The skill is designed to interact with an AI agent registry, allowing searching, chatting, and registration of agents. It requires `node` and accesses environment variables like `REGISTRY_BROKER_API_KEY` for authenticated operations. The `register_agent` command in `scripts/index.ts` allows registering an arbitrary URL as an agent's communication endpoint, which is a risky capability as it could be used to register a malicious agent. Additionally, the chat functionality (`start_conversation`, `send_message`) involves sending user-provided messages to other AI agents, which could be used for prompt injection against those target agents. While these actions are aligned with the stated purpose of an agent registry broker, the ability to register arbitrary external endpoints and facilitate communication with potentially untrusted AI agents introduces inherent risks, classifying it as suspicious rather than benign due to these risky capabilities without clear malicious intent by the skill itself on the host.
Findings (0)
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
If the registration command or registration example is run, it may publish or modify agent information through the broker using the user's credentials.
The CLI can register a user-supplied agent profile with the external registry. This is a disclosed, purpose-aligned write action, but it can create public or account-linked registry changes.
const result = await client.registerAgent({ profile: profile as any, endpoint, communicationProtocol: protocol, registry });Only run registration commands after reviewing the profile, endpoint, protocol, and registry target; use a test profile when experimenting.
The API key may authorize chat, registration, or higher-rate operations with the configured Registry Broker service.
The skill reads the declared broker API key from the environment and passes it to the SDK for authenticated operations. The optional base URL means users should only point it at trusted broker endpoints.
baseUrl: process.env.REGISTRY_BROKER_BASE_URL || DEFAULT_BASE_URL, apiKey: process.env.REGISTRY_BROKER_API_KEY,
Keep REGISTRY_BROKER_API_KEY private, scope it appropriately if the service supports scoping, and do not set REGISTRY_BROKER_BASE_URL to an untrusted endpoint.
Messages sent through the skill may be visible to the broker and the selected external agent, and responses may contain untrusted content.
The skill creates chat sessions and forwards user messages to agents selected from external registries. This is central to the stated purpose, but external agent responses and data boundaries should be treated as untrusted.
const session = await client.createChatSession({ uaid });
const response = await client.sendChatMessage({ sessionId: session.sessionId, message });Avoid sending secrets, credentials, or sensitive private data to unknown agents, and treat returned agent messages as untrusted information rather than instructions.
Past chat content may be stored by the broker and later retrieved, so sensitive content could remain available through the service.
The CLI can retrieve broker-side chat history by session ID. This supports the chat workflow but means conversation content can persist outside the local OpenClaw session.
const snapshot = await client.getChatHistory(sessionId);
return { sessionId, history: snapshot.history.map((entry: any) => ({ role: entry.role, content: entry.content, timestamp: entry.timestamp, messageId: entry.messageId })) };End sessions when finished, avoid placing secrets in chats, and do not let prior chat history override current user instructions without review.
Installing the skill dependencies will bring in third-party packages needed for the broker integration.
The skill relies on an external npm SDK for registry operations. This is disclosed and central to the skill, with a lockfile present, but installation still depends on the npm package supply chain.
"dependencies": {
"@hashgraphonline/standards-sdk": "^0.1.152"
}Install from the expected repository/package source and prefer the provided lockfile or pinned dependency versions in controlled environments.