Skill flagged — suspicious patterns detected
ClawHub Security flagged this skill as suspicious. Review the scan results before using.
Secure Communicator
v1.0.1Secure communication using the Pieter Theijssen triple-layer XOR encryption algorithm. Use when encrypting or decrypting messages, files, or any sensitive da...
⭐ 0· 33·0 current·0 all-time
byPieter Theijssen@theijssenp
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
Capability signals
These labels describe what authority the skill may exercise. They are separate from suspicious or malicious moderation verdicts.
OpenClaw
Suspicious
medium confidencePurpose & Capability
Name/description match the included Node script, but the metadata requires 'openssl' even though the code only uses Node's crypto module; that's disproportionate and unexplained. The repository also contains a secondary unused 'encrypt' implementation and comments indicating incomplete behavior, suggesting the package is partially inconsistent with its stated design.
Instruction Scope
SKILL.md instructs the agent to run the included Node script with local key files and files/text — the instructions align with the CLI implemented. However the script prints decrypted metadata to stderr (console.error), which could leak filenames/mime-type info, and SKILL.md's recommendations (e.g., key exchange in person) are appropriate but insufficient given other issues.
Install Mechanism
This is an instruction-only skill with an included script and no install spec; nothing is downloaded or executed from external URLs during install, which is low-risk from an install perspective.
Credentials
No environment variables or credentials are requested — this is proportionate to a local encryption tool.
Persistence & Privilege
The skill does not request persistent/always-on privileges and retains no special platform privileges; autonomous invocation remains allowed (platform default) but is not combined with other high-risk factors.
What to consider before installing
This skill is a local Node.js script that implements a custom triple-XOR cipher. Before installing or using it:
- Do not treat this as strong cryptography. XOR-based schemes are weak compared to standard primitives (AES-GCM, ChaCha20-Poly1305). The SKILL.md even warns it is not a substitute for professional crypto. Avoid using it for high-value secrets.
- The package metadata lists 'openssl' as a required binary but the code never calls openssl — this is unnecessary and unexplained. Ask the author why openssl is required or remove that dependency.
- The code has bugs: splitKey can produce an empty third key when key length is divisible by 3, which will cause a crash (modulo by zero). Test thoroughly and prefer a patched implementation before trusting it.
- The script prints decrypted metadata to stderr, which can leak filenames and mime types; if that is sensitive, modify the script to avoid printing metadata or ensure stderr is not exposed.
- There's leftover/simplified code paths and unused functions in the file (unused encrypt() earlier), suggesting the implementation is unfinished. Prefer a maintained, audited library or a minimal, clearly implemented tool.
If you decide to proceed: run the tool only on non-sensitive test data first, review and fix the key-splitting bug, remove the spurious 'openssl' requirement, and consider migrating to well-reviewed cryptographic libraries for real secrecy needs.Like a lobster shell, security has layers — review code before you run it.
latestvk97fbatef3x5d9myma5pjb9hwd852pns
License
MIT-0
Free to use, modify, and redistribute. No attribution required.
Runtime requirements
🔐 Clawdis
Binsnode, openssl