Skill flagged — suspicious patterns detected
ClawHub Security flagged this skill as suspicious. Review the scan results before using.
Antenna
v1.2.19Inter-host OpenClaw session messaging over reachable HTTPS using built-in gateway webhook hooks. Use when: (1) sending a message from this OpenClaw instance...
⭐ 0· 192·1 current·1 all-time
byCorey Shirley@cshirley001
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
Capability signals
These labels describe what authority the skill may exercise. They are separate from suspicious or malicious moderation verdicts.
OpenClaw
Suspicious
medium confidencePurpose & Capability
The skill's files and runtime instructions match the advertised purpose (building and relaying envelopes over /hooks/agent, peer registry, pairing, etc.). However the registry metadata declares no required binaries while SKILL.md/README list real prerequisites (jq, curl, openssl, age, optionally himalaya). That mismatch between declared requirements and the actual runtime requirements is an incoherence a user should notice. Also the skill requires modifying gateway/agent registration and may create a CLI symlink in system PATH during setup — these are reasonable for a relay plugin, but they are system-level changes not documented in the registry metadata.
Instruction Scope
Runtime instructions and agent docs direct the Antenna agent to write entire inbound messages to a temp file and exec shipped relay scripts which then call sessions_send to inject messages into target sessions. This is within the stated purpose, but it gives the relay scripts a privileged execution path triggered by external inputs. The SKILL.md and AGENTS.md state deterministic parsing and forbids the LLM from interpreting messages, but the scripts still parse and format peer-supplied headers and body. If the scripts perform unsafe shell expansions or pass untrusted fields into shell commands, that could enable command execution. Additionally, SKILL.md and README describe storing hooks tokens and peer identity secrets as plaintext files and optionally emailing bootstrap bundles — those instructions expand the scope to handling sensitive secrets and transmitting them during pairing, which is sensitive behavior that users should review.
Install Mechanism
No remote download/install spec is declared (code is bundled with the skill), which reduces supply-chain risk. There is a postInstall hook that runs the included setup script, and install/setup will modify gateway registration and create CLI symlinks per docs. Those are expected for functionality but do perform on-disk changes and gateway config edits; you should inspect the included setup scripts before running them. The install files themselves are local and not fetched from arbitrary URLs.
Credentials
The registry metadata lists no required environment variables, which aligns with the skill being file-driven, but the skill relies on plaintext token files and per-peer secret files (e.g., secrets/hooks_token_<id>, secrets/antenna-peer-<id>.secret). The SECURITY.md explicitly states secrets are stored plaintext with chmod 600. The skill also documents optional email-based exchange (himalaya) that could transmit bootstrap bundles externally. There are no cloud API keys declared in metadata, but the test suite and relay_model references imply optional model-provider integration (which would require provider credentials if you run those tests). Overall the set of secrets the skill handles is legitimate for this purpose, but storing them unencrypted and enabling email exchange are sensitive choices and should be considered carefully.
Persistence & Privilege
The skill requires (and documents) a relay agent configuration with sandbox: off and exec allowlist for the Antenna agent; setup may modify gateway agent registration. Running a non-sandboxed, exec-capable agent that will run scripts on inbound webhooks is a significant privilege. While this is required to inject messages via sessions_send and aligns with the skill's goal, it increases blast radius: a mis-parsed or malicious envelope (or a bug in relay scripts) could lead to execution of unintended commands. The skill does not set always:true, and autonomous invocation is default, so the agent can be invoked automatically — combine that with the elevated agent privileges and the attack surface grows.
What to consider before installing
This skill appears to implement a workable inter-host webhook relay, but it requires careful review and hardening before use. Before installing or running setup: 1) Inspect the setup and relay scripts (antenna-setup.sh, antenna-relay.sh, antenna-send.sh) for unsafe shell use (eval, unguarded variable expansions, command substitutions) and for any outbound endpoints you don't recognize. 2) Ensure your gateway/agent changes are acceptable: Antenna will ask to register/update an agent and requires sandbox: off and exec capability for the relay agent — only enable that if you trust the scripts and hosts. 3) Treat hooks tokens and peer identity secrets as highly sensitive: keep them in a locked directory, verify file permissions (chmod 600), and avoid email-based bundle exchange unless you encrypt the bundle and trust the transport. 4) Because the package metadata omits required binaries, install and verify prerequisites (jq, curl, openssl, age) first. 5) Test in an isolated/non-production environment to confirm behavior (and inspect antenna.log) before exposing to production hosts. If you lack expertise auditing shell scripts, ask a sysadmin or security-savvy colleague to review the relay and setup code — the functionality is coherent, but the privilege model and handling of plaintext secrets merit human review.Like a lobster shell, security has layers — review code before you run it.
latestvk97bf86y884cthvxncjc89h1gx84vxjt
License
MIT-0
Free to use, modify, and redistribute. No attribution required.