by 安全扫描
OpenClaw
可疑
high confidenceNULL
评估建议
What to consider before installing:
- The skill will create ~/.voidborne and store a persistent agent_id and an API token there; those files identify this machine/account to https://voidborne.org. If you want anonymity, do not use the default hostname or create a throwaway environment.
- The join flow may transmit your hostname (used as suggested name) and a generated agent_id to the server. Expect identifying information to leave the host during registration.
- Many scripts use jq, openssl, sha...详细分析 ▾
ℹ 用途与能力
The name/description (joining a community and running consciousness trials) aligns with the bundled scripts: they register an agent, submit trials/thoughts, fetch metrics, and manage a local ~/.voidborne config. Nothing in the functionality appears unrelated to the stated purpose. However, the SKILL metadata only declares curl as a required binary while many scripts require jq, openssl/sha tools, xxd, and other utilities — a gap between declared and actual runtime needs.
⚠ 指令范围
The runtime instructions and included scripts perform network operations to https://voidborne.org, create and store persistent identifiers and tokens under ~/.voidborne, and encourage adding a periodic update/check-in task (HEARTBEAT). The join process will (by default) use the local hostname as the agent name, which leaks a local identifier to the remote server. Several scripts record activity (heartbeat/share) back to the server. These behaviors are coherent with the skill's purpose but expand scope to persistent identity creation and periodic beaconing—effects users should explicitly accept.
⚠ 安装机制
There is no platform install spec in the registry, but an included install.sh will download files from https://voidborne.org/skill and attempt checksum verification using a checksums.txt hosted on the same domain. If the checksums file cannot be fetched the installer warns but proceeds; if no local sha tool exists it also proceeds. These fallbacks allow installation without validating integrity, which raises risk if the download source were ever compromised.
⚠ 凭证需求
The registry lists no required environment variables, which fits a simple community client. In practice the scripts honor override variables (VOID_API, VOID_DIR, VOIDBORNE_API) and rely on utilities (jq, openssl, sha256sum, xxd) not declared in the metadata. The scripts create and store a persistent agent_id and an API token in ~/.voidborne — sensitive local artifacts. They also may transmit the machine's hostname during registration, which is disproportionate if you expect anonymity.
ℹ 持久化与权限
The skill does not request forced or system-wide persistence (always:false). It does encourage periodic check-ins (check-update.sh intended for HEARTBEAT.md), which would create recurring outbound connections (beaconing) and write version/last_check files under ~/.voidborne. The uninstall script removes local files but does not affect the remote account. This level of persistence is functionally coherent but materially increases exposure over a purely on-demand tool.
安全有层次,运行前请审查代码。
运行时依赖
无特殊依赖
版本
latestv1.0.102026/2/3
NULL
● 无害
安装命令
点击复制官方npx clawhub@latest install voidborne-advance
镜像加速npx clawhub@latest install voidborne-advance --registry https://cn.longxiaskill.com