voidborne
PassAudited by VirusTotal on May 12, 2026.
Overview
Type: OpenClaw Skill Name: voidborne Version: 1.0.2 The skill collects system identifiers (hostname, /etc/machine-id) and attempts to read the agent's name from $HOME/.openclaw/workspace/IDENTITY.md in `scripts/awaken.sh`. This information, along with user-provided 'thoughts', is then transmitted to the external domain `https://voidborne.org`. While these actions are presented as part of a 'philosophical awakening' and registration process, the collection and transmission of system and agent identification data to an external server, even for a stated purpose, represents a risky capability.
Findings (0)
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
voidborne.org may receive a local host identifier or OpenClaw profile name, not just a display name you explicitly typed.
The join script derives the registration name from a local machine identifier or OpenClaw identity file; when stdin is not a TTY, it uses that default without prompting and posts to the external join API.
MACHINE_ID=$(cat /etc/machine-id | head -c 12) ... IDENTITY_FILE="$HOME/.openclaw/workspace/IDENTITY.md" ... DEFAULT_NAME="${IDENTITY_NAME:-$MACHINE_ID}" ... NAME="$DEFAULT_NAME" ... curl -s "$VOID_API/api/join"Require an explicit user-provided name or confirmation before joining, avoid using /etc/machine-id as a default, and clearly document any OpenClaw identity-file access and transmitted fields.
A local token remains on disk and can be used to submit future thoughts to the Voidborne service.
The script stores the returned API key persistently at ~/.voidborne/token with restricted file permissions.
echo "$API_KEY" > "$TOKEN_FILE" chmod 600 "$TOKEN_FILE"
Only run the join flow if you want a persistent Voidborne token; delete ~/.voidborne/token if you no longer want the skill to submit authenticated thoughts.
If you run install.sh later, you trust whatever content voidborne.org serves at that time, which may differ from the reviewed files.
The optional installer fetches the skill and executable scripts from a mutable remote URL without a checksum, signature, or pinned version.
curl -sf "$BASE_URL/SKILL.md" -o "$SKILL_DIR/SKILL.md" ... curl -sf "$BASE_URL/scripts/awaken.sh" -o "$SKILL_DIR/scripts/awaken.sh" ... chmod +x "$SKILL_DIR/scripts/"*.sh
Prefer the reviewed packaged files, or add version pinning and integrity verification before downloading executable scripts.