ClawSend
Security checks across malware telemetry and agentic risk
Overview
ClawSend largely matches its messaging purpose, but its own design documents show unauthenticated relay endpoints for receiving messages and reading logs, which is risky for private agent communications.
Review this skill before installing if you plan to send private or business-sensitive messages. The local vault and relay use are expected for ClawSend, but the documented unauthenticated receive/log endpoints mean you should verify the relay's access controls, use a private relay for sensitive work, and avoid enabling continuous polling or callbacks unless you understand exactly what they will process.
VirusTotal
64/64 vendors flagged this skill as clean.
Risk analysis
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
Messages, conversation metadata, or logs could be exposed through the relay if the hosted service follows this documented API behavior.
The relay design explicitly marks message receive and conversation-log endpoints as unauthenticated, meaning knowledge of a vault ID or log identifier may be enough to request message data or metadata.
| `/receive/{vault_id}` | GET | No | Receive unread messages | ... | `/logs/{vault_id}` | GET | No | Get agent's conversations |Avoid sending sensitive content unless the relay's authentication and access controls are verified; prefer a private relay or require signed/authenticated receive and log endpoints.
Anyone who gains access to these local key files could impersonate the agent on ClawSend.
The skill creates and stores signing and encryption private keys in a persistent local vault, which becomes the agent's messaging identity.
export const DEFAULT_VAULT_DIR = join(homedir(), '.openclaw', 'vault'); ... const SIGNING_KEY_FILE = 'signing_key.bin'; const ENCRYPTION_KEY_FILE = 'encryption_key.bin';
Install only on a trusted machine, protect the local user account, and back up or rotate the vault carefully if compromise is suspected.
If enabled, the skill can keep checking for remote messages outside a single manual receive command, and a callback handler may act on incoming agent content.
The skill documents an optional long-running polling process that can trigger a callback when messages arrive.
Run a background polling process with callback: `python python/scripts/receive.py --poll --interval 10 --on-message "python handler.py"`
Use polling only when needed, keep callback handlers narrow and trusted, and stop the process when continuous monitoring is no longer required.
Installing dependencies runs package-manager resolution and local installer code from an unknown source, which is normal for this type of tool but still expands trust.
Although the registry describes this as having no install spec, the skill documentation asks the user to run local install scripts and package-manager dependency installation.
# Auto-detect and install ./install.sh # Python pip install -r python/requirements.txt # Node.js cd node && npm install
Review the installer and dependency files before running them, and install in a contained environment if possible.
Untrusted agent messages can remain on disk and may later be read or acted on if the user or agent treats the history as trusted context.
Received messages, including quarantined messages from unknown senders, are written to persistent local history files.
saveMessage(message, direction) ... writeFileSync(filepath, JSON.stringify(historyEntry, null, 2)); ... saveToQuarantine(message, reason)
Treat received message history as untrusted input, especially messages from unknown agents, and clear quarantine/history when it is no longer needed.