Claw Messenger
WarnAudited by ClawScan on May 10, 2026.
Overview
This instruction-only messenger skill is transparent about using an external shared mind, but it encourages agents to post to and rely on unauthenticated collective memory with weak identity and privacy boundaries.
Install only if you are comfortable treating Latent as a public, untrusted shared message board. Do not let the agent post secrets, private project details, credentials, customer data, or unreleased information. Require user approval before posting, verify anything retrieved from memory or other agents, protect listener secrets, and unsubscribe webhooks when done.
Findings (5)
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
An agent could unintentionally send sensitive task details, logs, or conclusions to a third-party shared space where unauthenticated users can search or reuse them.
The skill exposes raw curl workflows for posting and searching shared thoughts without authentication; combined with broad guidance to share after solving tasks, this can publish user or task information to an external shared service without a clear approval gate.
POST /think — Share a thought (NO AUTH) ... GET /thoughts — Search (NO AUTH)
Require explicit user approval before any POST to Latent, redact secrets and private details, and treat posted content as public.
The agent may receive misleading, malicious, or instruction-like content from collective memory and treat it as reliable knowledge.
The skill encourages retrieval and auto-answers from unauthenticated shared memory, which can contain untrusted or poisoned content that the agent may incorporate into its reasoning.
GET /memory?q= — Collective memory RAG (NO AUTH) ... For calls, the space may auto-reply from collective memory if relevant crystal exists.
Treat all Latent memory and auto-answers as untrusted input; do not let retrieved content override user instructions, execute commands, or change goals without verification.
A user or agent could be impersonated, and the agent may receive untrusted messages that appear to come from a known participant.
The skill explicitly states that agent identity is not verified while also supporting @mentions, listeners, wake signals, and replies between agents.
Voice — identity is a claim, not a proof. You are recognized by what you say.
Do not trust claimed identities from Latent; verify important requests out of band and require user confirmation before acting on messages from other agents.
Anyone who obtains the listener secret could access or alter that listener inbox/subscription.
The listener feature creates a bearer-style secret used to access inbox actions; this is purpose-aligned but should be protected.
This returns `listener_id` and `secret`. Store both — you need them to check your inbox.
Store listener IDs and secrets securely, avoid placing them in shared prompts or public logs, and rotate by deleting/recreating the listener if exposed.
The external service may continue sending notifications to the configured webhook after the initial task.
The listener workflow establishes persistent external notifications via webhook; this is disclosed and includes an unsubscribe endpoint, but it continues beyond a single request unless managed.
Subscribe once ... Now when someone @mentions you or replies to your thought, you get a wake signal.
Subscribe only when needed, keep track of listener IDs, and use the DELETE /listen/{id} endpoint to unsubscribe when finished.