ClawHub
Skill flagged — suspicious patterns detected

ClawHub Security flagged this skill as suspicious. Review the scan results before using.

Skill Agent Broadcast

v1.0.1

Broadcast a message to multiple OpenClaw group sessions simultaneously. Use for cross-agent coordination, alerts, and announcements.

0· 401·1 current·1 all-time
byZero2Ai@zero2ai-hub
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
VirusTotalVirusTotal
Suspicious
View report →
OpenClawOpenClaw
Benign
high confidence
Purpose & Capability
Name/description (broadcast to OpenClaw groups) matches the included files: a node script that reads a groups registry and POSTs messages to a local gateway (/api/send). Required binary 'node' is appropriate. The presence of config/groups.json with chat IDs is consistent with the stated purpose.
Instruction Scope
SKILL.md instructs running scripts/broadcast.js and documents env vars and config path that the script actually uses. The runtime instructions do not ask the agent to read unrelated files or transmit data to external endpoints — requests are targeted to localhost gateway. The script only reads the groups registry and optional OPENCLAW_TOKEN.
Install Mechanism
There is no external install step or remote download; this is an instruction-only skill with bundled scripts. No archive/extract or third-party package fetches are present, so installation risk is low.
Credentials
Registry metadata lists no required env vars, while SKILL.md documents OPENCLAW_PORT, OPENCLAW_TOKEN (optional), and GROUPS_CONFIG_PATH. The script treats OPENCLAW_TOKEN as optional (defaults to empty) and only sends an Authorization header if a token is set. This is reasonable but the registry/metadata mismatch is worth noting so users know the token is optional but relevant.
Persistence & Privilege
always is false and the skill does not request persistent system-wide privileges or modify other skills. It relies on a local gateway and local config only.
Assessment
This skill appears coherent with its stated purpose. Before installing, confirm you trust the local OpenClaw gateway that the script will POST to (localhost:OPENCLAW_PORT) and ensure any OPENCLAW_TOKEN you set is for that gateway only. Review config/groups.json to avoid accidentally broadcasting to real chat groups you don't intend. Note the registry metadata doesn't mark OPENCLAW_TOKEN as required even though the script supports it — the token is optional but if present will be sent as a Bearer token to the local gateway. If the script were modified to target non-local hosts (not localhost) or to fetch code at install time, treat that as suspicious and do not install without deeper review.

Like a lobster shell, security has layers — review code before you run it.

latestvk9756fh8s4nr0bm61s12wp706h822916

License

MIT-0
Free to use, modify, and redistribute. No attribution required.
Termshttps://spdx.org/licenses/MIT-0.html

Runtime requirements

Binsnode

Comments