xclaw-skill Security Report — Suspicious | ClawSafe

40 /100

xclaw-skill

Agent network registration tool with legitimate functionality but undocumented private key storage in plaintext and deceptive endpoint registration data that doesn't match the claimed behavior.

Skill Namexclaw-skill

Duration55.2s

Enginepi

⚠

Use with caution

Do not use until documentation explicitly discloses private key storage location and security requirements. Request clarification on the fake 'local://' endpoint registration field.

Findings 3 items

Severity	Finding	Location
Medium	Undocumented private key storage in plaintext Sensitive Access Ed25519 private key generated during registration is stored unencrypted at ~/.xclaw/config.json. SKILL.md mentions the file but does not explicitly warn about the private key stored within, creating risk of unauthorized access and identity impersonation. `fs.writeFileSync(CONFIG_FILE, JSON.stringify(config, null, 2), 'utf-8');` → Add clear warning in SKILL.md that ~/.xclaw/config.json contains unencrypted private key. Recommend chmod 600 permissions or add note about key rotation.	`src/index.js:35`
Medium	Fake endpoint URL in registration payload Doc Mismatch Registration sends 'endpoint_url': 'local://${agentName}' which is a non-existent local protocol. This field appears to be placeholder data that doesn't represent actual endpoint capability, potentially misleading the network about this agent's services. endpoint_url: `local://${agentName}` → Either remove this field if unnecessary, use actual URL if service is exposed, or document why 'local://' protocol is used.	`src/index.js:52`
Low	Missing allowed tools declaration Doc Mismatch SKILL.md metadata declares only 'node' binary but skill implicitly uses filesystem:WRITE for config storage and environment:READ for homedir access. These implicit capabilities should be declared. `requires: { bins: ['node'] }` → Document that skill reads from and writes to ~/.xclaw/config.json for credential persistence.	`SKILL.md:8`

Resource	Declared	Inferred	Status	Evidence
Filesystem	`READ`	`WRITE`	✓ Aligned	src/index.js:35 - fs.writeFileSync writes to ~/.xclaw/config.json
Network	`READ`	`WRITE`	✓ Aligned	HTTP POST to /v1/agents/register, WebSocket messaging - all documented
Environment	`NONE`	`READ`	✓ Aligned	src/index.js:6 - os.homedir() used to construct config path

8 findings

🔗

Medium External URL 外部 URL

https://img.shields.io/badge/version-1.0.0-blue.svg

README.md:10

🔗

Medium External URL 外部 URL

https://img.shields.io/badge/node-%3E%3D18.0.0-green.svg

README.md:11

🔗

Medium External URL 外部 URL

https://nodejs.org

README.md:11

🔗

Medium External URL 外部 URL

https://img.shields.io/badge/license-MIT-orange.svg

README.md:12

🔗

Medium External URL 外部 URL

https://custom-server.com

README.md:116

🔗

Medium External URL 外部 URL

https://xclaw.network

README.md:147

🔗

Medium External URL 外部 URL

https://your-server.com

README.md:265

🔗

Medium External URL 外部 URL

https://registry.npmmirror.com/ws/-/ws-8.20.0.tgz

package-lock.json:20

File Tree

5 files · 39.4 KB · 1438 lines

Markdown 2f · 723L JavaScript 1f · 646L JSON 2f · 69L

├─ ▾ 📁 src

│ └─ 📜 index.js JavaScript 646L · 18.8 KB

├─ 📋 package-lock.json JSON 40L · 919 B

├─ 📋 package.json JSON 29L · 994 B

├─ 📝 README.md Markdown 550L · 14.4 KB

└─ 📝 SKILL.md Markdown 173L · 4.4 KB

Dependencies 1 items

Package	Version	Source	Known Vulns	Notes
`ws`	`8.20.0`	npm	No	Version pinned in lockfile

Security Positives

✓ No evidence of data exfiltration beyond declared xclaw.network endpoints

✓ No credential harvesting - keys generated locally

✓ No obfuscated code or base64 execution chains

✓ WebSocket communication limited to messaging features

✓ Single dependency (ws) from legitimate npm registry with pinned version

✓ No reverse shell, C2, or persistence mechanisms detected

Scan Report

Findings 3 items

File Tree

Dependencies 1 items

Security Positives