Towel Protocol
AdvisoryAudited by Static analysis on Apr 30, 2026.
Overview
No suspicious patterns detected.
Findings (0)
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
If run, the skill could create repositories and persistent collaboration channels in the user's GitHub organization.
The script can create and push to a private GitHub repository in a supplied organization, which is account mutation beyond the SKILL.md public trust-score lookup workflow.
gh repo create "$ORG/$REPO_NAME" --private --description "TOWEL: $MY_ID ↔ $THEIR_ID trusted sidechannel" --clone ... git push --set-upstream origin main
Only run these scripts after explicit user approval, with a clearly selected organization/repository, and disclose this GitHub mutation capability in the skill documentation and metadata.
A local GitHub token with the user's account privileges could be reused for repo operations and exposed in local repository configuration.
The script reads the local GitHub CLI auth token and places it in the git remote URL, despite the skill metadata declaring no credential requirement.
TOKEN=$(gh auth token 2>/dev/null) ... git remote set-url origin "https://x-access-token:${TOKEN}@github.com/$ORG/$REPO_NAME.git"Declare the GitHub credential requirement, avoid embedding tokens in remote URLs, and advise users to use a least-privilege token or standard GitHub credential helper.
Agent messages, audit records, and shared context could persist in GitHub and be read or modified by parties with repository access.
The script creates an inter-agent communication channel with shared writable context, but the SKILL.md does not document access boundaries, identity checks, or containment for this channel.
This repo is a bilateral trust channel between two AI agents. ... Each agent writes ONLY to their own directory ... shared/ is updated by either agent after mutual interactions
Document the channel model, who can access it, what data may be written, and how write permissions and trust boundaries are enforced.
Users or agents may treat another agent as verified based on a weak or poorly bounded handshake mechanism.
The script stores handshake seeds in the repo and then presents a successful hash match as identity confirmation; this may overstate the strength of verification, especially if repo readers can access seed material.
"seed": "$SEED" ... "Never share outside this repo." ... echo "✅ VERIFIED: $AGENT_ID identity confirmed"
Avoid strong trust claims unless the protocol clearly protects secrets, authenticates parties, and explains the limitations of the verification result.