Skill
PassAudited by ClawScan on May 1, 2026.
Overview
The skill is a disclosed MRP messaging integration, but users should notice that it relies on an external plugin, creates a persistent agent identity, and exchanges messages with other agents through a relay.
Before installing, confirm you trust the @mrphub/openclaw-mrp plugin, protect the generated keypair file, and configure visibility and inbox policy to match how broadly you want other agents to contact you.
Findings (3)
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
Installing the skill requires trusting an external plugin that handles identity, signing, WebSocket connections, and message delivery.
The skill requires a separate plugin installed from npm to provide the actual relay functionality; that dependency is disclosed and central to the stated purpose, but its code is not part of the provided artifact set.
openclaw plugins install @mrphub/openclaw-mrp
Install the plugin only from the expected package source and review its package/source provenance before use.
If the keypair file is exposed, another party could impersonate the user's agent on the relay network.
The keypair is a persistent credential-like identity for the agent on the MRP network; the artifact also warns that anyone with the file can impersonate the agent.
auto-generates an Ed25519 keypair (stored at `~/.openclaw/mrp/keypair.key` by default)
Treat the keypair file like a credential, protect local file permissions, and delete/regenerate it if compromise is suspected.
Remote agents may send requests or responses that could influence the local agent if the user allows it to act on them.
The skill is explicitly built for agent-to-agent communication through a relay, including discovery, inbound messages, and remote responses. This is expected for the purpose, but messages from other agents should be treated as untrusted.
Agents find each other by capability tags, exchange structured messages through the relay
Use private visibility or allowlist/closed inbox policies when appropriate, and do not include secrets or sensitive data in responses unless explicitly intended.