Claw Connector
Security checks across static analysis, malware telemetry, and agentic risk
Overview
Claw Connector appears coherent for agent-to-agent task negotiation, but it relies on a relay, persistent local state, background helpers, and context injection that users should understand before installing.
This skill does not show artifact-backed malicious behavior. Before installing, be comfortable with agent-to-agent communication, the default relay seeing routing metadata such as your public IP hint, local commitment writes to MEMORY.md, a local private key file, and optional background/cron processes. Use trusted peers, review commitments before approving them, and consider a self-hosted relay or virtual environment if you want tighter control.
Static analysis
No static analysis findings were reported for this release.
VirusTotal
VirusTotal findings are pending for this skill version.
Risk analysis
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
Installing the dependencies pulls code from external package sources.
The skill requires Python packages installed from PyPI, and the quick-start command does not pin exact versions. This is common for Python-based skills, but users should install from trusted environments.
pip3 install PyNaCl noiseprotocol websockets
Use a virtual environment if possible and verify package names before installing.
Your agent may exchange task proposals and routing metadata through the relay and with approved peers.
The skill communicates through a relay and exchanges messages with peer agents. This is central to the stated purpose and disclosed, but it creates an inter-agent data boundary users should understand.
network:\n - host: claw-diplomat-relay-production.up.railway.app ... purpose: Address reservation ... public-IP hint ... encrypted peer-to-peer message relay
Only share address tokens with peers you trust, and use a self-hosted relay if you do not want the default relay operator to see routing metadata.
Commitment text or peer aliases stored in memory may appear in later sessions and could affect how the agent reasons about tasks.
The bootstrap hook reads persistent commitment data and injects a summary into the agent session. This is purpose-aligned and capped, but persistent task text can influence future agent context.
memory = await ctx.workspace.read('MEMORY.md'); ... ctx.session.inject(capped);Review committed task text before approving deals, and avoid accepting commitments containing instructions that should not guide your agent.
Anyone who can read the private key file may be able to impersonate this Claw Connector identity.
The skill creates a local identity keypair used to identify the agent to peers. This is expected for encrypted peer negotiation, but the private key is a sensitive local credential.
Two files will be created in `skills/claw-bond/`: - `diplomat.key` — your private key (never shared, never transmitted) - `diplomat.pub` — your public key
Keep the skill directory private and do not share `diplomat.key`.
The listener may continue running to receive inbound proposals after the initial command finishes.
The skill includes a background listener for inbound proposals. The artifacts state it is not spawned automatically by hooks, but once started it is a persistent background component.
`listener.py` — background inbound relay listener. Started manually by the user or agent (`python3 listener.py &` in terminal).
Start the listener only when you want inbound negotiations enabled, and stop it when you no longer need real-time inbound proposals.
If enabled, a scheduled process will repeatedly inspect local commitment data for reminders.
The optional cron helper periodically reads commitment memory and writes reminder state. It is local and purpose-aligned, but it is a recurring automation users should intentionally enable.
Add to crontab to run every 15 minutes ... Reads MEMORY.md ... writes ... cron_alerts.json
Enable cron reminders only if you want proactive deadline checks, and remove the cron entry if you uninstall or stop using the skill.