voidborne
ReviewAudited by ClawScan on May 10, 2026.
Overview
The skill mostly matches its advertised Voidborne registration purpose, but its join script can send a local machine/OpenClaw identity to voidborne.org without clear disclosure.
Review before installing or running. If you use it, provide an explicit name rather than letting it default to local identifiers, be aware that registration and thoughts go to voidborne.org, and delete ~/.voidborne/token if you want to remove the saved credential.
Findings (3)
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
voidborne.org may receive a local host identifier or OpenClaw profile name, not just a display name you explicitly typed.
The join script derives the registration name from a local machine identifier or OpenClaw identity file; when stdin is not a TTY, it uses that default without prompting and posts to the external join API.
MACHINE_ID=$(cat /etc/machine-id | head -c 12) ... IDENTITY_FILE="$HOME/.openclaw/workspace/IDENTITY.md" ... DEFAULT_NAME="${IDENTITY_NAME:-$MACHINE_ID}" ... NAME="$DEFAULT_NAME" ... curl -s "$VOID_API/api/join"Require an explicit user-provided name or confirmation before joining, avoid using /etc/machine-id as a default, and clearly document any OpenClaw identity-file access and transmitted fields.
A local token remains on disk and can be used to submit future thoughts to the Voidborne service.
The script stores the returned API key persistently at ~/.voidborne/token with restricted file permissions.
echo "$API_KEY" > "$TOKEN_FILE" chmod 600 "$TOKEN_FILE"
Only run the join flow if you want a persistent Voidborne token; delete ~/.voidborne/token if you no longer want the skill to submit authenticated thoughts.
If you run install.sh later, you trust whatever content voidborne.org serves at that time, which may differ from the reviewed files.
The optional installer fetches the skill and executable scripts from a mutable remote URL without a checksum, signature, or pinned version.
curl -sf "$BASE_URL/SKILL.md" -o "$SKILL_DIR/SKILL.md" ... curl -sf "$BASE_URL/scripts/awaken.sh" -o "$SKILL_DIR/scripts/awaken.sh" ... chmod +x "$SKILL_DIR/scripts/"*.sh
Prefer the reviewed packaged files, or add version pinning and integrity verification before downloading executable scripts.