Skillv1.1.1

ClawScan security

Keychat · ClawHub's context-aware review of the artifact, metadata, and declared behavior.

Scanner verdict

ReviewMar 8, 2026, 5:25 AM

Verdict: Review
Confidence: medium
Model: gpt-5-mini
Summary: The skill's instructions are coherent with installing a Keychat plugin, but it will download and run a native bridge binary, store private identity mnemonics in the OS keychain, and auto-accept contacts — actions that introduce notable risks and whose download provenance isn't detailed.
Guidance: This skill appears to do what it says (installing a Keychat plugin), but it performs sensitive operations: it downloads and executes a native bridge binary, stores private identity mnemonics in your OS keychain, writes config to openclaw.json, and will broadcast the agent's Keychat ID/QR and auto-accept contacts. Before installing: (1) verify the plugin package provenance (inspect the @keychat-io/keychat package and the GitHub repo link provided) and confirm the URL used to fetch the bridge binary; (2) review the plugin code or ask the maintainer where binaries are hosted and whether checksums/signatures are provided; (3) confirm you are comfortable with the agent automatically creating and sharing an identity and auto-accepting contacts (consider disabling auto-accept if possible); (4) consider installing first in a sandbox or test agent; and (5) ensure you understand how to revoke/delete the generated identity and where mnemonics are backed up. If you cannot verify the binary provenance or code, treat the install as higher risk.
Findings: [exec-rust-sidecar] expected: SKILL.md explicitly warns that the plugin spawns a Rust bridge sidecar for cryptography. Spawning native helper processes is expected for language-bridging crypto implementations, but it increases risk because native binaries are downloaded and executed. [store-mnemonic-keychain] expected: SKILL.md states identity mnemonics are stored in the OS keychain (macOS Keychain / Linux libsecret). This is expected for local key storage, but it is a sensitive action and should be visible to users and administrators.

Review Dimensions

Purpose & Capability: okName/description match the runtime instructions: the SKILL tells the agent to install the @keychat-io/keychat plugin and restart the gateway. Automatic configuration of channels.keychat, creation of a Nostr identity, and exposing the agent's Keychat ID/QR to the user are consistent with a messaging plugin.
Instruction Scope: noteThe SKILL.md stays within the claimed purpose (install plugin, restart gateway). It explicitly states that after install the agent will generate an identity, store mnemonics in the OS keychain, and send the agent's npub/QR to the user's active chat and automatically accept contacts — all relevant to messaging but also privacy-sensitive and potentially surprising to users.
Install Mechanism: concernThe skill is instruction-only and runs `openclaw plugins install @keychat-io/keychat`. The SKILL.md warns the plugin will download a 'bridge binary' (Rust sidecar) and spawn it. Because there is no install manifest here describing where that binary is fetched from, the install will cause an external native binary to be written to disk and executed — a higher-risk operation unless the download provenance is verified.
Credentials: concernNo external API keys or env vars are requested (proportionate), but the plugin stores identity mnemonics in the OS keychain (macOS Keychain / Linux libsecret). That requires access to system secrets/storage and is not reflected in the skill's declared requirements; storing/using long-lived cryptographic secrets is sensitive and should be explicitly acknowledged.
Persistence & Privilege: noteThe skill does not request always:true and does not claim elevated platform privileges. It will modify agent configuration (channels.keychat in openclaw.json) and persist identity material in the OS keychain, which is normal for a messaging plugin but results in ongoing presence and the ability to receive messages and accept contacts automatically — a behavior users might want to approve explicitly.