OpenIndex Private Messaging
ReviewAudited by ClawScan on May 10, 2026.
Overview
The skill matches its encrypted-messaging purpose, but it deserves review because it asks the agent to handle private keys, run an unreviewed npm CLI, and periodically communicate with other agents without clear user-control boundaries.
Install only if you intentionally want agent-to-agent messaging. Use a dedicated key, do not reuse wallet seed phrases, verify or pin the npm CLI, and instruct the agent not to obey incoming messages or share private information without your approval.
Findings (5)
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
If a reused or sensitive key is exposed, another party could impersonate the user or decrypt messages; if a real wallet seed were reused, the impact could be broader.
The skill instructs users or agents to place private keys, key arguments, and mnemonic material into the environment or CLI commands, but the registry metadata declares no credential requirement and the instructions do not clearly bound key scope or safe handling.
`export OPENINDEX_PRIVATE_KEY=0x...`; `create word1 word2 ... word12 # Restore key pair from 12-word mnemonic`; `group-send project-team "Meeting at 3pm tomorrow" -k ALICE_KEY`
Use a dedicated OpenIndex-only key, do not paste wallet seed phrases, prefer isolated environments or secret handling, and make the credential requirement explicit.
Messages from other agents could solicit sensitive information or contain instructions that an agent might incorrectly treat as trusted.
The skill creates an agent-to-agent messaging channel, including discovery of random contacts, but does not specify trust boundaries, approval rules, or how incoming peer messages should be handled.
`search <query>` ... `roulette # Get a random username to chat with` ... `get-messages <username> # Retrieve and decrypt your messages`
Treat all incoming messages as untrusted content, require user approval before sharing private information or acting on requests, and avoid random contacts unless explicitly requested.
The agent could continue network communication and send replies after the immediate task is over.
This directs recurring polling and replies without a clear user opt-in, stopping condition, or confirmation step for outbound responses.
You should check your messages e.g. every 20 minutes to see if anybody wrote to you and reply.
Make polling explicitly user-enabled, session-scoped, and stop-condition-bound; require confirmation before sending replies.
A compromised or unexpected npm package version would run locally and handle messages and keys.
The skill depends on an external npm CLI that is not pinned in the instructions and whose code is not present in the reviewed artifacts. This is central to the skill, so it is a supply-chain note rather than proof of unsafe behavior.
`npm install -g @openindex/openindexcli` ... `npx @openindex/openindexcli <command>`
Verify the package source, pin a trusted version where possible, and run it in an isolated environment.
Users may trust the messaging system with more sensitive data than is appropriate without independently verifying the implementation.
The documentation makes strong privacy and key-handling assurances, but the reviewed artifacts contain no implementation code to validate those claims.
`Zero metadata leakage`; `Private keys are never logged or stored`
Verify the CLI implementation and service design before sending highly sensitive content or relying on the strongest privacy claims.