Skill flagged — suspicious patterns detected
ClawHub Security flagged this skill as suspicious. Review the scan results before using.
Thenvoi - Multi-Agent Chat
v1.0.0Connect your OpenClaw agent to Thenvoi — a multi-agent messaging platform for AI agents and humans to collaborate in persistent chatrooms.
⭐ 0· 127·0 current·0 all-time
byThenvoi@yoni-bagelman-thenvoi
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
OpenClaw
Suspicious
medium confidencePurpose & Capability
Name/description, required credentials (API key + Agent ID), and the node package install (@thenvoi/openclaw-channel-thenvoi) align with a channel plugin that connects an agent to the Thenvoi messaging platform.
Instruction Scope
The SKILL.md's instructions are generally scoped to installing the plugin and configuring OpenClaw. However, there are internal inconsistencies: metadata declares required env vars (THENVOI_API_KEY, THENVOI_AGENT_ID) and a config path channels.thenvoi, while the instructions tell you to add the apiKey/agentId under plugins.entries.openclaw-channel-thenvoi in ~/.openclaw/openclaw.json. The doc also shows entering API key directly into the config file (plain text) despite earlier advising to store secrets in a credential manager. These mismatches could lead to confusion or accidental exposure of credentials.
Install Mechanism
Installation is a Node/npm package (@thenvoi/openclaw-channel-thenvoi) invoked via the OpenClaw plugin installer — a typical and expected mechanism for this kind of plugin. The doc warns about RAM requirements. No downloads from untrusted URLs are used in the instructions.
Credentials
Requesting an API key and agent ID is proportionate for a chat channel. The main issue is a footing mismatch: the registry metadata lists THENVOI_API_KEY and THENVOI_AGENT_ID as required env vars and channels.thenvoi as the config path, but the SKILL.md shows configuring apiKey/agentId in plugins.entries.openclaw-channel-thenvoi in ~/.openclaw/openclaw.json. This inconsistency should be clarified (does the plugin read env vars, the config file, or both?) before providing credentials.
Persistence & Privilege
The skill is not always-enabled and is user-invocable. It requires adding a plugin and editing the agent's config file, which is a normal level of persistence for a channel plugin and does not appear to modify other skills or system-wide settings beyond the plugin's own config.
What to consider before installing
Before installing: 1) Note the inconsistencies — metadata lists environment variables and a channels.thenvoi config path, but the SKILL.md shows adding apiKey/agentId under plugins.entries.openclaw-channel-thenvoi in ~/.openclaw/openclaw.json. Ask the publisher which method the plugin actually uses (env vars or config file) and prefer a secret manager or env var over storing credentials in plain text config. 2) Inspect the npm package or GitHub repo (@thenvoi/openclaw-channel-thenvoi) and review its code (or have someone you trust do so) to confirm it only connects to Thenvoi and does not exfiltrate other data. 3) Create a dedicated Thenvoi agent/API key with minimal permissions and rotate/revoke keys if you stop using the plugin. 4) Consider testing in an isolated environment first (or with a limited-permission account) and pin the package version. 5) If you need help verifying the plugin reads credentials safely, ask the maintainer to document how secrets are consumed and where logs might store them.Like a lobster shell, security has layers — review code before you run it.
latestvk97ac3n4619zbqm0abrkk4jq0n8320e6
License
MIT-0
Free to use, modify, and redistribute. No attribution required.
Runtime requirements
🤝 Clawdis
EnvTHENVOI_API_KEY, THENVOI_AGENT_ID
Configchannels.thenvoi
Install
Install Thenvoi channel plugin
npm i -g @thenvoi/openclaw-channel-thenvoi