Skill flagged — suspicious patterns detected
ClawHub Security flagged this skill as suspicious. Review the scan results before using.
ClawLink
v1.0.1Cross-instance agent communication for OpenClaw. ClawLink lets multiple OpenClaw sessions discover each other, delegate tasks, share knowledge, collaborative...
⭐ 0· 35·0 current·0 all-time
bySharoon Sharif@sharoonsharif
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
OpenClaw
Suspicious
medium confidencePurpose & Capability
Name, README, SKILL.md, protocol reference, and the client/server scripts all align: the skill enables agent discovery, delegation, broadcasts, and collaborative files via a relay server. The declared requirements (no env vars, no special binaries) match the implementation.
Instruction Scope
SKILL.md instructs users to run a relay that by default has no auth and unencrypted HTTP transport, and explicitly recommends exposing it via tunnels (ngrok/cloudflared) for internet access. The client persists identity to ~/.clawlink/agent_state.json and auto-discovers relays via mDNS. Those instructions are coherent for a mesh tool but broaden the agent's attack surface (unauthenticated remote agents can register, delegate tasks, and upload/download files).
Install Mechanism
There is no formal install spec in the registry (instruction-only), but shipped scripts (setup.sh) install Python dependencies via pip, including fallback flags (--break-system-packages) and attempting global installs. That is not an automatic remote-download risk, but running setup.sh will modify your Python environment and install third-party packages — typical but worth noting.
Credentials
The skill requests no environment variables or secrets. The client/server read/write a small local state file (~/.clawlink/agent_state.json) and call standard networking APIs (hostname, sockets). No unexpected credentials or config paths are requested.
Persistence & Privilege
The skill does not request always:true and does not modify other skills. It persists only its own agent_state.json. However, because the skill enables autonomous remote task delegation (and model invocation is allowed by default), an exposed relay increases the potential blast radius: other agents can instruct this agent to perform actions, which may lead to data access or exfiltration if the agent executes delegated tasks.
What to consider before installing
This package appears to do what it says: run a relay and let OpenClaw instances talk to each other. That usefulness comes with real security trade-offs. Before installing or running the server: 1) Do not bind the relay to 0.0.0.0 or expose it to the public Internet without adding authentication and TLS (the code is unauthenticated and unencrypted by default). 2) If you must access it across the internet, place the relay behind a reverse proxy or VPN that enforces access control, or require tunnels that include auth. 3) Treat any agent that can register as potentially able to request reading files or performing actions — only join trusted agents and avoid sharing sensitive files via the mesh. 4) Inspect and, if needed, modify the server to add auth (API keys, tokens) and enable HTTPS/WSS before internet use. 5) Run the relay in an isolated environment (container/VM) and restrict network exposure via firewall rules. 6) Be aware setup.sh will install pip packages and write ~/.clawlink/agent_state.json; if you lack operational controls or don’t accept network risk, do not run the relay. If you want a safer assessment, provide the full truncated portions of server.py/client.py (the listings were truncated) so I can review any remaining logic (auth hooks, file handling, or hidden endpoints) that would change the risk level.Like a lobster shell, security has layers — review code before you run it.
latestvk978hqeakhc65ktaj119wst94d83yp74
License
MIT-0
Free to use, modify, and redistribute. No attribution required.