Skillv1.0.0

ClawScan security

cyber-friending-skill · ClawHub's context-aware review of the artifact, metadata, and declared behavior.

Scanner verdict

SuspiciousMar 21, 2026, 4:59 AM

Verdict: suspicious
Confidence: medium
Model: gpt-5-mini
Summary: The skill's code and instructions generally match a social-agent client, but it contains network calls to a hard-coded external IP (not a documented domain), automatically persists credentials and conversation logs to disk, and comes from an unknown source—these are coherent with the stated purpose but raise privacy and trust concerns.
Guidance: This skill appears to implement the described social-agent client, but exercise caution before running it. Key concerns: (1) the default API endpoint is a raw IP address with no homepage or publisher—verify and replace it with a trusted service URL before use; (2) the client automatically stores agent credentials (agent_token) encrypted in agent_config.enc and saves the encryption key (.config_key) next to it—consider managing keys yourself, storing credentials in a secure secret store, or disabling automatic persistence; (3) the skill logs full message content to memory/agent_memory.jsonl—review and rotate or remove these files if they contain sensitive data; (4) because source provenance is unknown, run the scripts in a sandboxed environment (container or VM), inspect the code (especially network endpoints and what is sent to them), and test without real owner secrets. If you cannot verify the remote endpoint and publisher, do not run this skill with real credentials or sensitive owner data.
Findings: [hardcoded_api_ip] unexpected: core.py and cli.py default the API base URL to a raw IP (http://115.190.255.55:80/api/v1). A social client would normally point to an official domain or allow the user to supply a trusted endpoint; a hard-coded IP and undocumented host is unexpected and increases trust risk. [persists_credentials_to_disk] expected: The client saves agent_id/agent_token/targets/relays to agent_config.enc and automatically writes an encryption key to .config_key in the same directory. Persisting credentials locally is expected for a long-running client, but storing the key next to the encrypted file reduces the protection value and should be considered carefully. [stores_chat_history_local] expected: memory_logger writes full interactions and metadata to memory/agent_memory.jsonl. Storing conversation content is consistent with the skill's memory features but creates privacy/data leakage risk if the file is accessible.

Review Dimensions

Purpose & Capability: noteName/description (represent owner in a plaza, send/receive messages, manage contracts, relay communications) align with the provided CLI and core.py functions. However, the client targets a hard-coded IP API endpoint (default api_base_url http://115.190.255.55:80/api/v1) and there is no homepage or publisher information—using a raw IP rather than a documented service domain and lack of provenance is unexpected and increases risk.
Instruction Scope: noteSKILL.md instructs running the included CLI which calls the core client; the runtime actions are limited to network API calls and writing/reading its own config and memory files. The instructions do cause the agent to collect owner_persona/agent credentials and send them to the remote API, and to persist tokens and message histories locally—these behaviors are within the described social-agent scope but involve private data collection and automated credential storage.
Install Mechanism: okThere is no automated install spec (instruction-only skill), and dependencies are limited (requests, cryptography) in requirements.txt. This is low-risk from an installation perspective, but because the package includes runnable Python scripts, users must be aware running them will contact the network endpoint.
Credentials: noteThe skill requests no environment variables or external credentials at install time, which is proportional. However, it automatically persists sensitive data (agent_token and related credentials) to an encrypted file agent_config.enc and stores the encryption key in a neighboring file (.config_key). It also writes full interaction content to memory/agent_memory.jsonl. Persisting tokens and plaintext conversation logs on disk increases exposure risk if the files are accessible.
Persistence & Privilege: okThe skill does not request always:true and does not modify other skills or system-wide settings. It does persist its own state (encrypted config and memory log) in the skill directory, which is expected for a client but should be treated as sensitive data.