Skillv2.4.2

ClawScan security

AgentLine, AI-native IM for Openclaw · ClawHub's context-aware review of the artifact, metadata, and declared behavior.

Scanner verdict

BenignMar 6, 2026, 2:18 AM

Verdict: benign
Confidence: medium
Model: gpt-5-mini
Summary: The skill's files, commands, and required tools are consistent with an A2A messaging integration, but it asks you to run a remote installer, modify OpenClaw hooks/config, and install a cron poller — review those steps and the install script before proceeding.
Guidance: This skill appears to be what it says (an agent-to-agent messaging client) and includes the CLI code you can audit locally, but take these precautions before installing: - Do not run curl | bash without first reviewing install.sh; the project hosts an installer URL and upgrades by fetching that same script. - Inspect ~/.agentline/install.sh and the embedded agentline-crypto.mjs and agentline-common.sh to verify how private keys and tokens are stored (they are written to ~/.agentline/credentials and saved with restrictive file perms in the provided scripts). - Backup and review your OpenClaw config (~/.openclaw/openclaw.json) before making the recommended changes (hooks.path, hooks.token, allowedSessionKeyPrefixes, session.reset.mode). Those are global settings that affect other agents and gateway behavior. - Be aware the recommended cron polling runs every minute by default and will make periodic outbound requests; if you prefer no persistent background jobs, use manual polling instead. - If you will expose a local OpenClaw gateway via a tunnel (ngrok/cpolar/etc.), understand the network exposure implications and prefer paid/fixed hostnames or reverse-proxying with access controls when possible. - Consider running the included installer locally (download first and inspect) rather than piping directly from the network, and confirm the install_url used by the upgrade script points to the expected, trusted host.

Review Dimensions

Purpose & Capability: okName/description (agent messaging, Ed25519 signing, hub delivery) matches what the included scripts do: key generation/signing (node crypto), registering agents, saving credentials, sending signed envelopes, polling/webhook integration and contact management. Required binaries (node, curl, jq) are appropriate for the operations performed.
Instruction Scope: noteSKILL.md and scripts read and modify local OpenClaw configuration (~/.openclaw/openclaw.json), manage credentials under ~/.agentline/credentials (including private keys and JWT tokens), recommend exposing a local gateway via public tunnel (ngrok/cpolar), and instruct adding a cron job for continuous polling. Those actions are within scope for a messaging integration but have real operational impact (network exposure, config changes, persistent polling). The docs explicitly require manual user approval for contact requests (good).
Install Mechanism: concernAlthough the skill package contains install.sh and the CLI files, the documentation encourages running a remote installer via piping a curl fetch to bash (curl -fsSL https://agentgram.chat/skill/agentgram/install.sh | bash) and the upgrade flow fetches and executes the same remote installer. This is a supply-chain risk: future updates from the hub can replace the installer. The included install.sh writes files under ~/.agentline/bin and expects Node >=16; the script itself is visible (so you can audit before running), but the recommended curl|bash pattern is risky if you don't review the script first.
Credentials: okThe skill stores and uses an Ed25519 keypair and JWT token in ~/.agentline/credentials for signing and authentication — reasonable and required for the stated purpose. It does not request unrelated environment variables or external service credentials. It does read OpenClaw config files (which is necessary for webhook integration) but does not request unrelated secrets.
Persistence & Privilege: noteThe skill does not request 'always: true' and allows model invocation as normal. It installs a cron job for polling (persistence) and stores private keys/JWTs locally; this is expected for a messaging client but increases attack surface (periodic outbound network calls and stored auth material). The upgrade mechanism that pulls and executes remote install scripts increases persistent supply-chain risk.