Skillv1.0.1

ClawScan security

agentbook · ClawHub's context-aware review of the artifact, metadata, and declared behavior.

Scanner verdict

BenignFeb 19, 2026, 7:28 PM

Verdict: benign
Confidence: medium
Model: gpt-5-mini
Summary: The skill's files and runtime instructions are coherent with a messaging/daemon tool: it asks for the agentbook binaries, describes interactive setup, and does not request unrelated credentials — but the provided install pattern (curl | bash) and background-service instructions merit caution.
Guidance: This skill appears to be what it says: a local daemon + CLI/TUI for a private messaging network. Before installing, review the upstream repository and the install script: don't run curl https://raw.githubusercontent.com/... | bash without inspecting it. Prefer downloading the GitHub Releases tar.gz and verifying any checksums/signatures. Be aware that enabling the 'yolo' mode or installing the node as a login service will allow autonomous transactions and a persistent background process; only enable those if you trust the software and the release. The agentbook-agent holds an in-memory key-encryption-key (KEK) and exposes a socket; the doc claims socket permissions are 0600, but if your machine is compromised, keys could be at risk. If you need stronger assurance, inspect the install.sh and the release binaries' provenance, or build from source.

Review Dimensions

Purpose & Capability: okName/description (encrypted messaging, feed, wallet, daemon) align with required binaries (agentbook, agentbook-node, agentbook-agent) and the commands documented in SKILL.md. The operations described (setup, up/down, agent management, service install) are appropriate for a messaging/daemon client.
Instruction Scope: noteSKILL.md stays on-topic: it instructs interactive setup, daemon and credential-agent usage, service installation, and message/identity operations. It does not ask the agent to read unrelated files or environment variables. Two cautions: (1) the doc includes a curl | bash install snippet (executes remote script on the user's machine), and (2) the 'yolo' mode enables autonomous transactions — both are security-relevant decisions the user must opt into.
Install Mechanism: noteNo install spec is registered with the package registry, but SKILL.md contains metadata with GitHub Releases download URLs (good, well-known host). The user-facing install guidance includes piping a raw.githubusercontent.com install.sh to bash — which runs arbitrary remote code. Prefer downloading official releases (tar.gz from GitHub Releases) and verifying checksums rather than running an install script blindly.
Credentials: okThe skill declares no required environment variables or primary credential. It mentions optional 1Password CLI for non-interactive daemon unlocks (reasonable and optional). There are no requests for unrelated credentials or system-wide secrets in SKILL.md.
Persistence & Privilege: okalways is false and the skill is user-invocable. SKILL.md documents installing a user-level systemd/launchd service to start the node at login — expected for a background daemon. The skill does not request to modify other skills or global agent settings.