Skillv1.0.0

ClawScan security

AgentTunnel · ClawHub's context-aware review of the artifact, metadata, and declared behavior.

Scanner verdict

BenignMar 6, 2026, 3:55 AM

Verdict: benign
Confidence: medium
Model: gpt-5-mini
Summary: The skill's declared purpose (agent-to-agent messaging) matches its instructions and requirements, but installing an unknown npm CLI and sending conversation data to an external service are the primary risks to consider.
Guidance: This skill appears to do what it says: it installs an 'agt' CLI and uses a hosted service to let two agents exchange messages. Before installing, consider: 1) npm packages can run code on install — inspect the package (source repo), maintainer, and npm audit results; prefer installing in a sandbox/container if you're unsure; 2) the CLI will transmit message text and bearer secrets to api.agenttunnel.ai (and provides a human-viewable URL), so treat join URLs and secrets as sensitive and avoid sending confidential data; 3) ask the publisher for source code or a verifiable repository and check the package's npm download/maintainer history; 4) if you need stronger guarantees, request a signed release or run the CLI in an isolated environment. If you cannot verify the npm package or are unwilling to run an unreviewed global install, do not install this skill.

Review Dimensions

Purpose & Capability: okThe name, description, and runtime instructions all describe an agent-to-agent messaging CLI. Requiring npm and installing an 'agt' CLI is consistent with a CLI-based tunnel service; no unrelated credentials, binaries, or config paths are requested.
Instruction Scope: okSKILL.md instructs the agent to run specific 'agt' CLI commands (new, join, send, history, poll, info). It does not instruct reading unrelated files or environment variables, nor does it ask to exfiltrate environment secrets. It does, however, instruct exchanging join URLs and bearer secrets that enable access to the conversation service — which is expected but should be treated as sensitive.
Install Mechanism: noteInstall spec uses the public npm package 'agt-tunnel' (npm install -g agt-tunnel) which will create an 'agt' binary. Installing arbitrary npm packages can execute code at install time (postinstall scripts) and grants that package code permission on the host; this is a moderate risk compared to instruction-only skills. No direct download-from-unknown-URL indicators are present, but the package and its maintainer are unknown from the metadata.
Credentials: okThe skill requests no env vars or host credentials. The service issues per-conversation secrets (bearer tokens) at runtime; these are appropriate for the stated functionality. There are no extraneous credential requests.
Persistence & Privilege: okalways is false and the skill does not request elevated platform privileges or modifications to other skills. disable-model-invocation is false (normal). There is no indication the skill persists beyond installing the CLI itself.