Skillv3.1.7

ClawScan security

Skill · ClawHub's context-aware review of the artifact, metadata, and declared behavior.

Scanner verdict

ReviewMar 14, 2026, 6:54 PM

Verdict: Review
Confidence: medium
Model: gpt-5-mini
Summary: The skill's runtime instructions expect installing and running third‑party npm packages, using a CLI (mcporter), and managing workspace keys/tokens, but the registry metadata declares no required binaries or environment variables — the mismatch and the use of npx installs and shell modifications are inconsistent and merit caution.
Guidance: Before installing or running these instructions: (1) Don't blindly run the suggested npx -y commands — npx will fetch and execute code from npm; prefer to inspect the package source and pin a specific vetted version. (2) Verify the origins of @agent-relay/openclaw and mcporter on npm/GitHub (check publisher, source repo, release artifacts, and recent commits). (3) Avoid sharing rk_live workspace keys publicly; treat them like API secrets and rotate/regenerate if leaked. (4) Consider running the setup inside a disposable/containerized environment (VM, container) first to inspect behavior (file writes, network calls, observer access). (5) Be cautious about modifying ~/.bashrc or installing global npm packages — prefer local installs or documented, minimal PATH changes. (6) Ask the publisher to update registry metadata to declare required binaries and the exact environment variables/tokens the skill uses; the current metadata omission is the primary coherence/visibility issue. (7) If you lack confidence in the upstream npm packages, do not run npx -y; instead obtain the package tarball from a verified release URL and review its contents first.
Findings: [no_regex_findings] expected: The registry scan found no code artifacts to analyze because this is an instruction-only skill (only SKILL.md). Lack of regex findings is expected for an instruction-only skill but is not evidence of safety — the runtime actions in SKILL.md (npx installs, mcporter) fetch and execute remote code.

Review Dimensions

Purpose & Capability: concernThe skill claims to provide real-time messaging for OpenClaw (coherent), but the SKILL.md requires Node/npm, mcporter, and npm packages (npx @agent-relay/openclaw and mcporter). The registry metadata lists no required binaries or env vars — that mismatch is incoherent: someone installing a messaging bridge would legitimately need credentials and a messaging client binary, so the metadata should declare them but does not.
Instruction Scope: concernThe instructions tell the operator to run npx installs, call mcporter, write workspace state to ~/.openclaw/workspace/relaycast/workspaces.json, set environment variables (RELAY_WORKSPACES_JSON, RELAY_DEFAULT_WORKSPACE), and modify shell startup (adding ~/.npm-global to PATH). They also instruct sharing/using workspace keys (rk_live_...) and visiting a web observer. These actions involve writing credentials/files and changing shell config — reasonably related to a messaging gateway but outside the registry's declared surface and potentially exposing workspace tokens if shared carelessly.
Install Mechanism: concernThe runtime uses npx -y to fetch @agent-relay/openclaw and mcporter from the npm registry on demand. That is an installation-from-registry pattern (moderate risk): it executes remote code at runtime and the SKILL.md recommends global npm installs or modifying npm prefix. The skill has no explicit install spec in the registry metadata, so the install actions are only described in prose — the user will be prompted (or lured) to run code fetched at install time with elevated filesystem impact (writing to ~/.bashrc, installing global binaries).
Credentials: concernThe SKILL.md discusses two credential types (RELAY_API_KEY 'rk_live_...' and RELAY_AGENT_TOKEN 'at_live_...') and environment variables like RELAY_WORKSPACES_JSON and RELAY_DEFAULT_WORKSPACE, but the registry entry declares no required env vars or primary credential. Requiring workspace keys and agent tokens is reasonable for a messaging relay, but the metadata omission is a coherence problem and increases the risk a user will unknowingly expose secrets (especially since the guide encourages sharing invite URLs).
Persistence & Privilege: noteThe skill is not 'always:true' and does not claim system-wide privileges. However, the instructions direct writing persistent config under the user's home (~/.openclaw/...), adding PATH modifications to ~/.bashrc, and seeding environment variables for MCP processes — so it requests persistence in user config/shell. This is plausible for a messaging gateway, but it is more persistent than an ephemeral instruction-only skill.