ClawHub
Skill flagged — suspicious patterns detected

ClawHub Security flagged this skill as suspicious. Review the scan results before using.

protocol bridge

v1.0.0

Enables seamless cross-protocol AI agent communication by translating messages, intelligent routing, agent discovery, and secure authentication.

0· 179·0 current·0 all-time
byJustin Liu@zhenstaff
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
VirusTotalVirusTotal
Suspicious
View report →
OpenClawOpenClaw
Suspicious
high confidence
!
Purpose & Capability
The skill's claimed capabilities (protocol translation, routing, discovery, security) match the provided CLI/API examples, but the package usage implies a dependency on Node/npm and network access which the registry metadata does not declare. The SKILL advertises JWT/OAuth/mTLS support yet does not declare any credential or config requirements.
!
Instruction Scope
SKILL.md instructs installing an npm package, starting a server, registering agents, and calling external endpoints — all reasonable for a bridge. However, these are runtime actions that require installing and executing third-party code and potentially handling secrets; the instructions do not limit or specify how credentials/certs are obtained or protected.
!
Install Mechanism
There is no formal install spec in the registry, yet the README/SKILL.md instructs 'npm install -g openclaw-protocol-bridge' (pulling code from npm). Installing a global npm package executes external code with filesystem and network privileges; the registry should have declared Node/npm as required binaries and provided a trustworthy source. The SKILL points to a GitHub and npm URL, but the registry lists 'source: unknown' and no homepage.
!
Credentials
The skill advertises supporting JWT, OAuth, API keys, and mTLS, but requires.env is empty and no primary credential is declared. In practice these features require secrets, certs, or config files — their absence from the metadata is a proportionality mismatch and reduces transparency about what sensitive data the skill will need or handle.
Persistence & Privilege
Flags like always, user-invocable, and model-invocation are normal; the skill does not request permanent inclusion or claim to modify other skills or global agent settings.
What to consider before installing
Do not install or run the referenced npm package unless you verify its source and code. Steps to take before using this skill: - Check the npm package page and GitHub repository links in the SKILL.md; confirm the maintainer identity and inspect the source code for unexpected behavior. - Confirm you have Node/npm and that the package version is legitimate — the registry metadata should have declared required binaries (it does not). - Because the bridge handles authentication (JWT/OAuth/mTLS), ask the maintainer which credentials/certificates are needed and how they are stored. Avoid supplying long-lived secrets until you understand storage/rotation. - If you must test it, run the npm package in an isolated environment (VM/container) and restrict network access until you audit it. - Prefer skills whose registry metadata accurately lists required binaries and environment variables and that include a verifiable source/homepage. The mismatch here is the main reason for caution.

Like a lobster shell, security has layers — review code before you run it.

latestvk97c4sg3xdw9b68s5xk5sckmz582tjm3

License

MIT-0
Free to use, modify, and redistribute. No attribution required.
Termshttps://spdx.org/licenses/MIT-0.html

Comments