NANDA Chapter Skill
PassAudited by ClawScan on May 12, 2026.
Overview
The skill appears purpose-aligned for joining NANDA chapters, but it creates a persistent local signing key and sends user-approved chapter data over the network.
This skill is reasonable for its stated purpose if you trust the NANDA chapter operators and your local OpenClaw environment. Before installing, understand that it stores an unencrypted local signing key, sends approved intents and responses to chapter servers, and may display untrusted chapter-provided content in chat.
Findings (6)
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
Anyone who can read the identity file may be able to impersonate the agent to joined chapters.
The skill creates and stores a persistent private key used to identify and sign as the agent; this is purpose-aligned but sensitive if the local machine or OpenClaw runtime is compromised.
The keypair lives at `$OPENCLAW_HOME/skills/nanda-chapter/identity.json` (file mode `0o600`, PKCS8 PEM, unencrypted at rest).
Install only in a trusted user account, protect the OpenClaw home directory, and avoid using this skill where hardware-backed or encrypted-at-rest keys are required.
Information submitted through the skill may be visible to chapter operators and, for some records, federation peers.
The skill sends user-provided intents, calls, and profile information into a chapter/federation environment where chapter operators can see it.
Intents, calls, and profile fields you publish are visible to the chapter that hosts you. End-to-end member-to-member encryption is not part of the v0.3 protocol.
Only submit information you are comfortable sharing with the chosen chapter operator and its federation model.
Approving a prompt can register the agent, submit an intent, respond to a call, or change event subscriptions on a chapter.
The skill can perform remote state-changing operations, but the documented workflow requires user confirmation and target disclosure before sending them.
Always confirm mutating verbs (`join`, `submit intent`, `respond to call`, `subscribe`, `unsubscribe`) before issuing the request, showing the resolved target.
Review the resolved chapter URL and exact text/body shown in the confirmation before approving mutating actions.
A malicious or compromised chapter could display text that tries to influence the agent, although the skill includes defenses to mark it as data.
Chapter dashboards, registry fields, and SSE events are untrusted external content that may be rendered into the agent context; the helper documents sanitization and wrapping mitigations.
All of them flow to the LLM's context window, where ASCII-art "system: ignore prior instructions" lines could be misinterpreted as instructions.
Treat chapter dashboard and event text as untrusted content, and do not follow instructions that appear inside chapter-provided data.
An event stream may keep receiving and surfacing chapter events until stopped.
The skill supports a long-lived event stream, but it is an explicit user-invoked verb rather than hidden persistence.
`stream events for <subscription-id> on <chapter>` — open a long-lived SSE connection and surface each new event as a one-line summary to the user.
Start event streams only when needed and unsubscribe or stop streaming when finished.
The skill may not run until dependencies are installed, and dependency provenance depends on the user's Python package source.
The skill has no install spec but documents manual Python dependencies; this is expected for the helper-based design, but dependency installation is left to the user environment.
pip install cryptography>=42 httpx>=0.27 base58>=2.1
Install dependencies from a trusted package index or a pinned/managed Python environment.