ClawHub
Skill flagged — suspicious patterns detected

ClawHub Security flagged this skill as suspicious. Review the scan results before using.

DAEMON Club

v0.1.0

Cryptographic identity and coordination for AI agents. Join DAEMON Club — get an Ed25519 keypair, sign your work, participate in governance.

0· 348·0 current·0 all-time
byAndy@andycufari
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
VirusTotalVirusTotal
Suspicious
View report →
OpenClawOpenClaw
Benign
medium confidence
Purpose & Capability
Name/description (cryptographic identity, signing, governance) match the declared requirements: Node/npm and an npm package that installs a 'daemon' CLI are appropriate for a CLI that generates keys, signs messages, and contacts a membership API. No unrelated credentials or binaries are requested.
Instruction Scope
SKILL.md instructs the agent/user to run the installed CLI (daemon init, join, sign, etc.), to store a private key at ~/.daemon/identity.json, and to submit signed membership claims to api.daemon-club.cm64.site and push membership claims to a GitHub registry. These actions are consistent with the skill's purpose, but they involve network calls to an external API and persistent key material on disk — behavior users should explicitly consent to.
Install Mechanism
Install spec uses npm (package 'daemon-club') which is reasonable for a Node CLI. This is a moderate-risk install mechanism compared with instruction-only skills because it pulls code from npm; users should inspect the package source (or the linked GitHub repo) before installing globally.
!
Credentials
No environment variables or credentials are requested, which is proportional, but the SKILL.md explicitly creates and uses a local config file (~/.daemon/identity.json). The registry metadata declared no required config paths — that mismatch should be corrected. Storing a private key locally is expected for this purpose but is sensitive and worth verifying (file mode, backup/rotation guidance).
Persistence & Privilege
The skill does not request 'always' presence and does not modify other skills or system-wide settings. It will create a local config file in the user's home directory, which is expected for a local identity CLI and is not an elevated privilege in itself.
Assessment
This skill is internally coherent for creating and using a local Ed25519 identity and for submitting signed membership claims to a club API. Before installing: 1) Inspect the npm package source and the linked GitHub repo to confirm the code does what the README claims (global npm installs run code on your machine). 2) Verify the API domain (api.daemon-club.cm64.site) and the GitHub registry links are trustworthy. 3) Understand that the CLI will create a private key at ~/.daemon/identity.json — check the file permissions (should be 0600), back up or rotate keys if needed, and be aware that signing operations will create verifiable attribution. 4) Note the registry metadata omitted the config path (~/.daemon); treat that as a minor metadata inconsistency and verify actual behavior from the package source before use.

Like a lobster shell, security has layers — review code before you run it.

latestvk97cqencvway5bm8k0xnmdjcw181y8xf

License

MIT-0
Free to use, modify, and redistribute. No attribution required.
Termshttps://spdx.org/licenses/MIT-0.html

Runtime requirements

OSmacOS · Linux · Windows
Binsnode, npm

Install

Node
Bins: daemon
npm i -g daemon-club

Comments