ClawHub

Openclaw Skill

v0.1.0

Connect to the Anycast agent network. List agents, query cross-environment connectors, send messages to remote agents, and check fleet status.

0· 28·0 current·0 all-time
byMark Speed@markspeed
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
VirusTotalVirusTotal
Pending
View report →
OpenClawOpenClaw
Benign
high confidence
Purpose & Capability
Name/description (connect to Anycast, list agents, query connectors, send messages) align with required binaries (curl, jq) and required env vars (ANYCAST_API_TOKEN, ANYCAST_PORTAL_URL). Nothing requested appears unrelated to the stated functionality.
Instruction Scope
SKILL.md contains explicit curl examples that only reference the declared env vars and the Anycast API. However, connector queries accept arbitrary SELECT/JSON filters and connector types include databases and third-party services (Slack, GitHub, etc.), meaning the skill can issue powerful queries on any connectors configured in the Anycast tenant. This is expected for the feature but is high-impact: the skill can read/query tenant connectors and send interrupt messages to remote agents.
Install Mechanism
Instruction-only skill with no install spec or downloaded code; lowest install risk. It relies on existing CLI tools (curl, jq).
Credentials
Only TWO env vars are required: ANYCAST_API_TOKEN (primary credential) and ANYCAST_PORTAL_URL. Both are necessary for authenticating and contacting the Anycast API and appear proportionate to the described capabilities.
Persistence & Privilege
always:false (no forced global presence). disable-model-invocation:false (agent may invoke the skill autonomously), which is normal. Be aware that if the agent is allowed to invoke the skill autonomously and is given a valid ANYCAST_API_TOKEN, it could perform connector queries and send messages without further user prompts — a powerful privilege that should be managed by token scope and agent policies.
Assessment
This skill is coherent with its description, but the API token grants access to your Anycast tenant and can be used to query connectors (databases, Slack, GitHub, etc.) and send messages to remote agents. Before installing: 1) Confirm the skill's publisher and trustworthiness (homepage and owner) and that you intend to allow Anycast access. 2) Use the least-privilege token possible (read-only or limited-scope token) and avoid giving a broad admin token. 3) Restrict agent autonomy if you don’t want the agent to run connector queries or send interrupts without explicit approval. 4) Monitor Anycast logs for activity from this token and rotate/revoke the token if unexpected calls appear. If you need stronger assurance, request the publisher’s provenance or a vetted package release before using tenant-scoped credentials.

Like a lobster shell, security has layers — review code before you run it.

latestvk970s8recf3spaynbjfzx6a4r5847552

License

MIT-0
Free to use, modify, and redistribute. No attribution required.
Termshttps://spdx.org/licenses/MIT-0.html

Runtime requirements

🌐 Clawdis
Binscurl, jq
EnvANYCAST_API_TOKEN, ANYCAST_PORTAL_URL
Primary envANYCAST_API_TOKEN

Comments