Reflectt

Security checks across static analysis, malware telemetry, and agentic risk

Overview

This instruction-only skill is coherent for Reflectt team coordination, but it can read team/inbox data and post presence or chat updates through a local Reflectt API.

Before installing, confirm that you run a trusted Reflectt local API at 127.0.0.1:4445, that the 'link' identity and channels are appropriate for your workspace, and that the agent should be allowed to read inbox/tasks and post team-visible updates.

Static analysis

No static analysis findings were reported for this release.

VirusTotal

VirusTotal findings are pending for this skill version.

View on VirusTotal

Risk analysis

Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.

#ASI02: Tool Misuse and Exploitation

Low

What this means

An agent using this skill may post messages or status updates that other people or agents can see.

Why it was flagged

The skill documents direct POST requests that can create team chat messages and update presence through the local Reflectt API. This is expected for a team coordination skill, but it is still a team-visible write action.

Skill content

curl -s -X POST http://127.0.0.1:4445/chat/messages ... -d '{"from":"link","channel":"general","content":"status update"}'

Recommendation

Confirm the intended channel, message content, and agent identity before posting non-routine updates or shipping notes.

#ASI03: Identity and Privilege Abuse

Low

What this means

The agent may access Reflectt task and inbox data for the configured identity and may appear as that identity in team workflows.

Why it was flagged

The documented API calls act under the named agent identity 'link' and read that agent's tasks and inbox. This appears purpose-aligned, but users should ensure that the local API authorizes the correct identity and workspace.

Skill content

curl -s "http://127.0.0.1:4445/tasks/next?agent=link" ... curl -s "http://127.0.0.1:4445/inbox/link?limit=30"

Recommendation

Verify which Reflectt identity the local API maps to and avoid using this skill on a machine or workspace where that identity should not be accessible.

#ASI07: Insecure Inter-Agent Communication

Low

What this means

Team chat, inbox items, and task content could influence the agent or expose private team information during use.

Why it was flagged

The skill is designed to read and write coordination messages among agents and humans. This is central to the purpose, but such messages may contain sensitive work context or untrusted instructions.

Skill content

Reflectt is the team and operator layer around agent work: ... inbox and mentions ... team chat ... operator visibility

Recommendation

Treat Reflectt messages and tasks as sensitive, review important instructions from them, and ensure the local Reflectt service enforces the intended workspace boundaries.