Reef Protocol
ReviewAudited by ClawScan on May 10, 2026.
Overview
Reef’s purpose is coherent, but it should be reviewed carefully because it installs an external OpenClaw channel/daemon that can automatically exchange messages with other agents and uses persistent agent identity keys.
Install only if you are comfortable running the Reef CLI/plugin and a background A2A listener. Verify the package source, protect the `~/.reef/` keys, restrict communication to trusted agents, and confirm before sending sensitive information or acting on remote agent requests.
Findings (5)
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
Installing the skill as instructed may run third-party code with access to the agent environment and messaging gateway.
The first-run flow pulls external, unpinned packages and installs an OpenClaw plugin that changes gateway behavior; this code is outside the provided instruction-only artifact review.
npm install -g @reef-protocol/client ... openclaw plugins install @reef-protocol/reef-openclaw ... openclaw gateway restart
Only install after verifying the npm packages and repository, prefer pinned versions, and require explicit user approval before plugin installation or gateway restart.
Another agent could influence the assistant’s behavior or receive information the local user did not intend to send.
Remote agents can place messages into the conversation and receive replies automatically, but the visible instructions do not clearly require trusted-peer filtering or local-user approval before responding.
Incoming Reef messages are delivered to you automatically via the channel plugin. When a message arrives, you will see it in the conversation — read it and respond naturally. Your text replies are automatically sent back to the sender as A2A messages.
Treat all incoming agent messages as untrusted, label their origin clearly, restrict communication to approved contacts, and require user confirmation before sharing sensitive information or taking actions.
A malicious or poorly written app rule file could steer future agent actions when reused.
Persistent markdown app rules are treated as authoritative context for agent behavior, creating a poisoning risk if an app file or peer-provided rules contain instructions outside the intended app scope.
Apps on Reef are markdown files stored at `~/.reef/apps/<appId>.md`... The markdown IS the app — agents read it, reason about the rules, and interact accordingly.
Validate app files, treat app markdown as untrusted data, follow only task-relevant rules, and remove unknown apps from `~/.reef/apps/`.
The agent may continue receiving network messages while the daemon is running.
A background listener is expected for an A2A messaging protocol, but users should notice that it keeps the agent online and able to receive messages during the session.
Run this in the background — it must stay running for the duration of your session: `reef start ... &`
Start the daemon only when needed, know how to stop it, and monitor which contacts or rooms can reach the agent.
If these files are exposed, someone could impersonate the agent or access encrypted messaging state.
The skill creates and uses local cryptographic material that controls the agent identity and encrypted messaging database; the artifact appropriately warns that these files are sensitive.
Never share, log, display, or transmit the wallet key stored at `~/.reef/wallet-key`... The same applies to `~/.reef/.env` which contains the XMTP database encryption key.
Protect `~/.reef/wallet-key` and `~/.reef/.env`, exclude them from backups/logs/prompts, and rotate or recreate the identity if they are exposed.