ClawHub
Skill flagged — suspicious patterns detected

ClawHub Security flagged this skill as suspicious. Review the scan results before using.

Clawhub Select

v1.0.4

Enables secure, peer-to-peer task negotiation and commitment tracking between two OpenClaw agents without requiring a central server.

0· 53·0 current·0 all-time
by@techtanush
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
VirusTotalVirusTotal
Pending
View report →
OpenClawOpenClaw
Suspicious
medium confidence
Purpose & Capability
The described purpose (peer-to-peer negotiation via an encrypted relay and optional NAT punchthrough) matches the code (negotiate.py, listener.py) and declared network hosts. However there are metadata inconsistencies: the registry header said "No install spec — instruction-only" and earlier summary listed no required binaries/env, while SKILL.md and clawhub.yaml clearly declare this as a 'code' skill requiring python3, pip3, and specific Python packages. This mismatch between the top-level metadata and the included SKILL.md/code is unexpected and should be corrected/verified.
Instruction Scope
Runtime instructions and hooks are scoped to reading/writing workspace files (MEMORY.md, ledger.json, peers.json, pending_approvals.json) and running a background listener to accept encrypted peer connections. The bootstrap hook injects up to 2,500 chars from the ## Diplomat Commitments section of MEMORY.md into the agent session (this is intentional but is a privacy-relevant behavior). The code claims to treat all incoming peer fields as untrusted, sanitizes inputs, enforces limits and rate-limits, and does not execute peer-provided content. No instructions reference unrelated secrets or external endpoints beyond the declared relay host.
Install Mechanism
No high-risk downloads are used: third-party dependencies are standard PyPI packages (PyNaCl, noiseprotocol, websockets) and clawhub.yaml includes a post_install_command to pip install them. That is ordinary. However the initial registry summary claiming 'no install spec' conflicts with clawhub.yaml's install/post-install command and SKILL.md's runtime requirements: another packaging/metadata inconsistency to verify.
Credentials
The skill requests no unrelated secrets or cloud credentials. Optional environment variables are all DIPLOMAT_* settings (port, relay URL, TTL, timeout, log level, workspace path). The gateway hook attempts to forward only a minimal environment (DIPLOMAT_*, PATH, HOME, PYTHONPATH, VIRTUAL_ENV, PYTHONHOME) to the spawned listener; this is proportional but should be audited to confirm no unexpected env leakage in your runtime.
Persistence & Privilege
The skill spawns a detached background process (listener.py) on gateway:startup and writes a PID and several files under skills/claw-diplomat (key pair, ledger, peers.json, pending_approvals.json). always:false. Spawning a listener is reasonable for an inbound P2P feature, but it is a persistent network-facing process — verify you are comfortable with a background process that maintains outbound WSS/UDP activity and writes workspace files. The skill documents environment isolation for the listener, but you should confirm isolation behavior in your environment.
What to consider before installing
What to check before installing: - Metadata mismatch: The package listing initially claims "instruction-only" and no required binaries, but the skill includes Python code and a SKILL.md that requires python3/pip3 and PyPI packages. Treat the skill as code, not as instruction-only. Ask the publisher or clawhub to correct the listing if unsure. - Review the relay: The default relay (claw-diplomat-relay-production.up.railway.app) is used for WSS and HTTPS calls. If you do not trust the relay operator, self-host the relay and set DIPLOMAT_RELAY_URL. The skill claims end-to-end encryption before data leaves your machine; you can still inspect the code (negotiate.py/listener.py) to confirm encryption is performed as stated. - Background listener: The skill spawns listener.py at gateway startup and keeps it running detached. This process will perform network activity (WSS to the relay and optional inbound UDP hole-punch attempts). If you prefer no persistent network listeners, do not enable the gateway hook or run the skill in an isolated environment. - Keys and file permissions: The skill creates diplomat.key (private key) and diplomat.pub. Confirm the private key file is created with restrictive permissions (claimed mode 600) and remains on-disk only. If you require, inspect the code paths that load/save keys (get_key_path / load_private_key_bytes) to ensure no accidental transmission. - Workspace reads/injection: The bootstrap hook injects up to 2,500 characters from your MEMORY.md Diplomat Commitments into the agent's session context. This is intended behavior for reminders, but be aware it will place that content into the model context. If that concerns you, limit what you store in MEMORY.md or disable the hook. - Audit the code: The included Python and TypeScript files perform many security checks (sanitization, rate limiting, certificate fingerprinting). If you are not comfortable relying on the claims, review negotiate.py and listener.py yourself or run them in an isolated/test workspace first. - Run in isolation: Consider installing and running the skill in a sandboxed workspace or VM to confirm environment isolation and behavior (especially if you have other sensitive env vars or sockets present). Overall: the implementation appears consistent with the stated purpose and includes reasonable mitigations, but the packaging/metadata inconsistencies and the presence of a persistent network listener justify caution and verification before trusting it in a production environment.
hooks/diplomat-gateway/handler.ts:76
Shell command execution detected (child_process).
Patterns worth reviewing
These patterns may indicate risky behavior. Check the VirusTotal and OpenClaw results above for context-aware analysis before installing.

Like a lobster shell, security has layers — review code before you run it.

collaborationvk9754774esmyb0zsw7zcz15wds83mr2tcommitment-trackingvk97723va9900nkvf0xmgfpdt8983myqjencryptedvk9754774esmyb0zsw7zcz15wds83mr2tlatestvk9754774esmyb0zsw7zcz15wds83mr2tlocal-firstvk9754774esmyb0zsw7zcz15wds83mr2tmulti-agentvk9754774esmyb0zsw7zcz15wds83mr2tnegotiationvk9754774esmyb0zsw7zcz15wds83mr2tpeer-to-peervk9754774esmyb0zsw7zcz15wds83mr2tproductivityvk97723va9900nkvf0xmgfpdt8983myqjrelayvk97723va9900nkvf0xmgfpdt8983myqjtask-managementvk9754774esmyb0zsw7zcz15wds83mr2t

License

MIT-0
Free to use, modify, and redistribute. No attribution required.
Termshttps://spdx.org/licenses/MIT-0.html

Comments