Scan Report
5 /100
agent-link
智能体互联技能 - 支持不同电脑上的 OpenClaw 实例和 Agent 通过中转服务器进行安全可靠的通讯
This is a legitimate cross-device agent communication relay skill with no malicious behavior detected. All functionality is properly documented and uses standard WebSocket communication with HMAC-SHA256 message signing.
Safe to install
This skill is safe to use. No security concerns identified.
Findings 1 items
| Severity | Finding | Location |
|---|---|---|
| Low | Plain WebSocket connection default Sensitive Access | scripts/local-agent/agent_link.py:54 |
| Resource | Declared | Inferred | Status | Evidence |
|---|---|---|---|---|
| Filesystem | READ | READ | ✓ Aligned | agent_link.py:188-195 - reads config JSON file via from_config() |
| Network | READ | WRITE | ✓ Aligned | agent_link.py:54-65 - WebSocket connection for sending/receiving messages |
| Shell | NONE | NONE | — | No subprocess or shell execution found in codebase |
| Environment | NONE | NONE | — | No os.environ access or sensitive variable reading found |
File Tree
6 files · 25.3 KB · 1019 lines Markdown 3f · 686L
Python 1f · 315L
JSON 2f · 18L
├─
▾
docs
│ └─
install-agent.md
Markdown
├─
▾
scripts
│ └─
▾
local-agent
│ ├─
agent_link.py
Python
│ └─
agent-link-config.example.json
JSON
├─
_meta.json
JSON
├─
README.md
Markdown
└─
SKILL.md
Markdown
Dependencies 1 items
| Package | Version | Source | Known Vulns | Notes |
|---|---|---|---|---|
websockets | * | pip | No | No version pinned - consider pinning to specific version for reproducibility |
Security Positives
✓ HMAC-SHA256 message signing prevents message forgery
✓ No subprocess or shell execution - pure Python WebSocket client
✓ No credential harvesting or environment variable enumeration
✓ No sensitive file path access (~/.ssh, ~/.aws, .env)
✓ No base64 encoding or obfuscation detected
✓ All functionality is properly documented in SKILL.md
✓ Message relay server does not persist message content
✓ Clean, readable codebase with proper error handling