peaq Robotics
AdvisoryAudited by Static analysis on Apr 30, 2026.
Overview
No suspicious patterns detected.
Findings (0)
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
If invoked, the agent can make persistent identity, storage, or access-control changes in the configured peaq/ROS environment.
The skill exposes commands that can create/read identity data, write/read storage, and modify access roles or permissions through ROS 2 services.
- DID create/read - Storage add/read - Access role/permission operations
Use the mutating commands only for explicit user requests, verify the target ROS domain and config, and review access-control changes before applying them.
Commands will act in the context of the local peaq robot configuration and any account or wallet identity that the ROS node uses.
The ROS node is started with a local peaq robot config, and the skill performs identity/access operations through that configured environment.
Config YAML exists (either: - set `PEAQ_ROS2_CONFIG_YAML`, or - use default `<PEAQ_ROS2_ROOT>/peaq_ros2_examples/config/peaq_robot.yaml`).
Set `PEAQ_ROS2_ROOT` and `PEAQ_ROS2_CONFIG_YAML` explicitly, verify they point to the intended account/config, and avoid exposing sensitive config files.
A compromised or unexpected local ROS workspace could affect what actually runs when the skill starts nodes.
The reviewed skill delegates core runtime behavior to local ROS packages and workspace code that are not installed or fully provenance-verified by this skill.
`peaq-robotics-ros2` workspace is already present and built.
Use only a trusted peaq-robotics-ros2 checkout/build and keep the ROS overlay environment under user control.
Sensitive data could be stored unintentionally, and retrieved JSON should not be blindly treated as trusted instructions.
The skill can write and later read JSON data through the storage service, including data that might be reused as agent state.
"Read my DID, store this JSON as `agent_state`, then read it back."
Avoid storing secrets, clearly label stored state, and treat data read back from storage as untrusted unless the user verifies it.
ROS 2 nodes may remain active until stopped, potentially continuing to interact with the configured robot/peaq environment.
Start commands launch ROS 2 nodes in the background and store PID/log files, so processes can continue after the initial command returns.
nohup "$@" >"$LOG_DIR/$name.log" 2>&1 &
Use the provided stop commands when finished and check the PID/log directories if behavior is unexpected.