Back to skill
Skillv0.0.1
ClawScan security
XMTP Agents · ClawHub's context-aware review of the artifact, metadata, and declared behavior.
Scanner verdict
BenignMar 5, 2026, 11:31 PM
- Verdict
- benign
- Confidence
- medium
- Model
- gpt-5-mini
- Summary
- The skill's instructions and requirements are coherent with its stated purpose (bridging an existing agent to XMTP), but it makes operational choices that have security implications (local wallet keys, global npm install, running a persistent bridge) that you should understand before running.
- Guidance
- This skill appears to do what it says: set up a persistent bridge between XMTP and an agent. Before installing or running it, consider the following: (1) xmtp init writes private wallet/encryption keys to ~/.xmtp/.env — keep that file secure, or run the bridge in an isolated container/VM; (2) the instructions call for npm install -g @xmtp/cli (verify the package and pin versions); (3) the example uses the OpenClaw CLI — adapt the bridge to your agent runtime if you use something else; (4) owner inbox messages are given full agent capabilities (tools, memory, file access) — only give owner status to wallets/IDs you trust; (5) run rate-limiting, logging, and prompt-sanitization to reduce DOS and prompt-injection risk; and (6) test in a non-production environment first.
Review Dimensions
- Purpose & Capability
- noteThe skill is about connecting an agent to XMTP and its instructions use the XMTP CLI and an agent CLI (openclaw agent) to implement a bridge — this fits the described purpose. Minor inconsistency: the description promises support for many backends (Claude Code, LangChain, custom Python), but the provided bridge example and commands are OpenClaw-specific; users will need to adapt the sample if they use a different runtime.
- Instruction Scope
- concernThe SKILL.md instructs installing @xmtp/cli, running xmtp init which generates ~/.xmtp/.env containing a wallet/encryption key, and running a continuously streaming bridge that routes messages into your agent and back out. These steps are expected for an XMTP bridge but have important implications: private keys are written to local disk, the bridge is persistent (long-running), and owner messages are granted 'full agent capabilities' (tools, memory, file access). The skill does warn about DOS and prompt-injection, but the instructions nonetheless enable a process that could expose sensitive resources if misconfigured.
- Install Mechanism
- noteThere is no platform install spec in the skill bundle, but the runtime instructions require running npm install -g @xmtp/cli (via the public npm registry), Node 22+, and jq. Installing the XMTP CLI from npm is a reasonable choice for this purpose but carries normal npm risks (trusting the package, supply-chain issues, global install).
- Credentials
- noteThe registry metadata declares no required environment variables, which is consistent with the bundle, but the instructions rely on a generated local secrets file (~/.xmtp/.env) containing wallet and encryption keys and on an OWNER_INBOX_ID runtime variable for owner filtering. Granting the 'owner' inbox full agent privileges is functionally necessary for the described owner-vs-public behavior, but it is a high-privilege configuration — the skill does not request additional unrelated credentials, so scope is proportional but potentially sensitive.
- Persistence & Privilege
- okThe skill does not request always:true or any special platform privileges. It simply provides instructions to run a persistent bridge process; that is expected for the purpose and does not modify other skills or global agent settings.