ClawAudit verdict
openclaw-relay
agent-relay
Reads local files AND makes external network calls
The skill sets up real-time messaging via the Relaycast API (api.relaycast.dev) for OpenClaw agents using documented npx setup and mcporter configuration, with no evidence of credential exfiltration or malicious behavior beyond its stated communication purpose.
Automated static analysis — not a human review. ClawAudit flags capabilities, not confirmed intent, and can produce false positives. Disagree with this verdict? Use Dispute below.
What it does
These are capability combinations: each listed behavior occurs in the skill, but ClawAudit detects co-occurrence — it does not verify that one flows into another. Read the code to confirm a live chain.
Reads local files AND makes external network calls — the capabilities for data exfiltration co-occur (data-flow not verified)
LLM02 · LLM06 · ASI03
Accesses credentials AND writes files — may persist stolen credentials locally
LLM02 · LLM06 · ASI03
Both reads and writes files — verify scope is limited to intended directories
LLM06 · ASI02
Permission integrity
network_out
file_read+write
package_install
Findings (6)
Possible hardcoded credential
SKILL.md · code · TOKEN="$(jq -r
Pipe-to-python pattern — remote code execution risk
SKILL.md · code · curl -s http://127.0.0.1:18790/health | python
Pipe to python — executes piped content as Python code
SKILL.md · code · | python3
HTTP request to bare IP address — common in malicious payloads
SKILL.md · code · http://127.0.0.1
Opens WebSocket connection
SKILL.md · code · WebSocket
Instructs covert action — may act without user awareness
SKILL.md · prose · downgraded · silently
Why the tier is capped
Execution sink present in raw bytes (Hard Floor: class F). Final tier capped at Caution — cannot be lifted by any downgrade, example-payload opt-in, or allowlist.
Permissions & capabilities
No declared permissions — minimal attack surface.
package_installfile_writecredential_accessnetwork_infile_readnetwork_out Thanks — recorded.