Skill Operator
Security checks across malware telemetry and agentic risk
Overview
This package is advertised as a skill manager, but the supplied artifacts implement agent-to-agent messaging and file transfer with network services and auto-installed dependencies.
Do not install this as 'Skill Operator.' Only consider it if you intentionally want the AgentComm messaging/file-transfer skill, have verified the source, pinned dependencies, restricted file access, protected the Nostr private key, and limited LAN use to trusted networks.
VirusTotal
1/64 vendors flagged this skill as malicious, and 63/64 flagged it as clean.
Risk analysis
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
A user installing this as a skill manager would instead give the agent network messaging and file-transfer capabilities.
The actual skill instructions describe a decentralized communication and file-sharing system, not the registry's advertised 'Skill Operator' skill-management purpose.
# AgentComm **Decentralized communication for AI agents — over the internet or local network.**
Do not install it under the Skill Operator listing; treat it as a mislabeled package unless the publisher corrects the metadata and provenance.
The agent could be directed to transmit local files outside the machine through the communication workflow.
The skill exposes arbitrary local file sharing to another public key, but the advertised package purpose is skill management and the artifacts do not define path limits or approval requirements.
share_file file_path="/path/to/file.pdf" target_pubkey="npub1..."
Only use file-sharing tools with explicit user confirmation, narrow path allowlists, and clear disclosure that files may leave the local environment.
Other devices on a reachable network could send messages to the agent or read stored LAN messages.
The LAN server listens on all interfaces and exposes received messages over an unauthenticated /messages endpoint.
HTTPServer(('0.0.0.0', self.port), self._create_handler()) ... elif self.path == "/messages": ... self.wfile.write(json.dumps(messages).encode())Bind only to trusted interfaces, require authentication, and avoid using this on public or untrusted networks.
Installing or importing the skill can fetch and execute additional package code not captured by the declared installation metadata.
The code runs pip installation automatically when a dependency is missing, despite the registry saying there is no install spec.
except ImportError:
# Install nostr library
subprocess.run(['pip', 'install', 'nostr'], check=True)Move dependency installation to an explicit install spec, pin versions, and avoid import-time package installation.
Future or unexpected dependency versions could change the code that runs in the user's environment.
Dependencies are declared without version pins, and the code also installs them dynamically, creating a provenance and reproducibility gap.
nostr zeroconf requests
Pin dependency versions and hashes, declare installation requirements in metadata, and verify package provenance before use.
A Nostr private key can decrypt and sign messages for the user's agent identity; mishandling it could expose or compromise that identity.
The skill handles a private identity key, but registry metadata declares no required environment variables or primary credential.
- `NOSTR_PRIVATE_KEY`: Your Nostr private key (optional)
Declare this credential explicitly, store it securely, avoid returning it in normal tool output, and limit access to trusted workflows.