ClawSend
AdvisoryAudited by Static analysis on Apr 30, 2026.
Overview
No suspicious patterns detected.
Findings (0)
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
Someone who knows or guesses an agent vault ID may be able to access queued messages or conversation metadata/logs, depending on the relay implementation and whether messages are encrypted.
The relay design documents message retrieval and log endpoints as requiring no authentication, which weakens recipient identity and data boundaries for agent-to-agent messaging.
| `/receive/{vault_id}` | GET | No | Receive unread messages | ... | `/messages/{conv_id}/log` | GET | No | Get conversation log | ... | `/logs/{vault_id}` | GET | No | Get agent's conversations |Use this only for low-sensitivity messages unless the relay enforces authenticated retrieval and end-to-end encryption by default; avoid sending secrets or private context through the public relay.
The client-side protocol does not prove the requester owns the recipient identity when fetching messages, which can expose message contents or metadata if the relay relies on this endpoint behavior.
The provided client retrieves messages with an unsigned GET request, corroborating the documented unauthenticated receive endpoint.
async receive(limit = 50) {
return this.get(`/receive/${this.vault.vaultId}?limit=${limit}`);
}Require signed receive requests or another authentication mechanism tied to the vault private key before using the relay for sensitive communication.
Anyone with access to the vault files could impersonate the agent or decrypt messages intended for it.
The skill creates and uses persistent local signing and encryption private keys as the agent's messaging identity.
export const DEFAULT_VAULT_DIR = join(homedir(), '.openclaw', 'vault'); ... const SIGNING_KEY_FILE = 'signing_key.bin'; ... const ENCRYPTION_KEY_FILE = 'encryption_key.bin';
Protect the ~/.openclaw/vault directory, do not share it, and back it up or delete it intentionally when rotating identities.
Remote agent messages can remain on disk and may later be read back into context or logs, so untrusted content could persist beyond the current task.
Received messages, including messages from unknown senders, are persisted in local history or quarantine.
const HISTORY_DIR = 'history'; const QUARANTINE_DIR = 'quarantine'; ... saveMessage(message, 'received'); ... saveToQuarantine(message, 'unknown_sender')
Treat received message content as untrusted, periodically review/delete history and quarantine files, and avoid automatically feeding them into later tasks without validation.
If enabled, the skill can keep checking for messages and trigger local handling outside the immediate chat flow.
The skill documents an optional long-running polling mode and callback on message arrival.
Option 2: Continuous Polling ... Run a background polling process with callback: ... python python/scripts/receive.py --poll --interval 10 --on-message "python handler.py"
Use the recommended heartbeat/manual receive flow unless you explicitly need continuous polling; ensure any callback handler is reviewed and does not blindly trust remote messages.
Installing the skill may execute dependency installation steps that are not represented in the registry install specification.
Although registry data says there is no install spec, the skill includes a shell installer that installs Python or Node dependencies.
pip install -r requirements.txt ... npm install
Review the installer and dependency files before running ./install.sh, and install in an isolated environment if possible.