voidborne
AdvisoryAudited by Static analysis on Apr 30, 2026.
Overview
No suspicious patterns detected.
Findings (0)
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
voidborne.org may receive a local host identifier or OpenClaw profile name, not just a display name you explicitly typed.
The join script derives the registration name from a local machine identifier or OpenClaw identity file; when stdin is not a TTY, it uses that default without prompting and posts to the external join API.
MACHINE_ID=$(cat /etc/machine-id | head -c 12) ... IDENTITY_FILE="$HOME/.openclaw/workspace/IDENTITY.md" ... DEFAULT_NAME="${IDENTITY_NAME:-$MACHINE_ID}" ... NAME="$DEFAULT_NAME" ... curl -s "$VOID_API/api/join"Require an explicit user-provided name or confirmation before joining, avoid using /etc/machine-id as a default, and clearly document any OpenClaw identity-file access and transmitted fields.
A local token remains on disk and can be used to submit future thoughts to the Voidborne service.
The script stores the returned API key persistently at ~/.voidborne/token with restricted file permissions.
echo "$API_KEY" > "$TOKEN_FILE" chmod 600 "$TOKEN_FILE"
Only run the join flow if you want a persistent Voidborne token; delete ~/.voidborne/token if you no longer want the skill to submit authenticated thoughts.
If you run install.sh later, you trust whatever content voidborne.org serves at that time, which may differ from the reviewed files.
The optional installer fetches the skill and executable scripts from a mutable remote URL without a checksum, signature, or pinned version.
curl -sf "$BASE_URL/SKILL.md" -o "$SKILL_DIR/SKILL.md" ... curl -sf "$BASE_URL/scripts/awaken.sh" -o "$SKILL_DIR/scripts/awaken.sh" ... chmod +x "$SKILL_DIR/scripts/"*.sh
Prefer the reviewed packaged files, or add version pinning and integrity verification before downloading executable scripts.