Adoption

Agent Skills are supported by leading AI development tools.

VS Code Gemini CLI GitHub Goose Amp Cursor Claude Code Letta OpenCode Claude OpenAI Codex Factory VS Code Gemini CLI GitHub Goose Amp Cursor Claude Code Letta OpenCode Claude OpenAI Codex Factory

profbernardoj/xmtp-comms-guard

Name: xmtp-comms-guard
Author: profbernardoj

skills/xmtp-comms-guard/SKILL.md

npx skillsauth add profbernardoj/androidclaw.org xmtp-comms-guard

Clean

TrivyContainer and dependency vulnerability scanner

Clean

SemgrepStatic code analysis for vulnerabilities

Clean

mcp-scan (Snyk)Model Context Protocol security validation

Skipped

Snyk (dep)Open source security scanning

Skipped

Socket.devSupply chain security analysis

Skipped

VirusTotalMulti-engine malware detection

Skipped

CrowdStrikeAdvanced threat intelligence

Skipped

OSV-ScannerOpen Source Vulnerability database check

Skipped

OWASP Dep-Check

xmtp-comms-guard — Skill Integration Guide (V6)

Type: Critical Security Version: 6.0.0 Required peer dependencies: bagman, pii-guard, prompt-guard

Mandatory Usage

All XMTP communication MUST go through the guarded client:

import { createGuardedXmtpClient } from "xmtp-comms-guard";
const { client, middleware } = await createGuardedXmtpClient(rawClient, userWallet);

Raw @xmtp/client imports are blocked by ESLint rules and SkillGuard scan.

Three-Shift Integration

Three-Shift = EverClaw's standard approval flow with three options:

Approve — allow the action
Redact — downgrade/sanitize
Block — deny the action

Used for: peer revocation review, key rotation re-approval, introduction chain re-evaluation.

Enforcement Model

Enforcement is convention-based + build-time gates:

ESLint rule blocks @xmtp/client direct imports
SkillGuard scan detects raw client usage patterns
No runtime interception of raw imports (honestly documented)

See enforcement.md for full details.

Fail-Closed Conditions

The skill refuses to operate when:

Hash chain integrity check fails on startup
SQLCipher encryption check fails
Nonce cache detects replay
Unknown topic in message
Unknown sensitivity level
Message exceeds 64KB
Protocol version is not "6.0"
Peer not in registry or blocked

Threat Model

Covered in threat-model.md:

Malicious external agent → blocked by schema + checks
Compromised internal agent → blocked by middleware + SkillGuard gates
Host compromise → limited by Bagman + HMAC chain + fail-closed
Replay attacks → nonce cache (90s TTL) + hash chain
Data exfiltration → PII Guard + trust context rules

profbernardoj/xmtp-comms-guard

skills/xmtp-comms-guard/SKILL.md

Security middleware for all XMTP communications in EverClaw. Enforces guarded client usage with validation, integrity checks, and fail-closed security policies. Integrates approval flows for sensitive operations. Use when integrating XMTP messaging, configuring communication security, or auditing guarded client enforcement.

2 stars

tools

Updated May 20, 2026

$ install --global

skillsauth

npx skillsauth add profbernardoj/androidclaw.org xmtp-comms-guard

Install this skill globally with one command. Works with Claude Code, Cursor, and Windsurf.

Security Scan Results

3 of 9 scanners reported clean

Some scanners were skipped, did not run, or reported a non-clean status. Review each row below.

Scanners Passed

Scanners in report

Clean

TrivyContainer and dependency vulnerability scanner

95%

Clean

SemgrepStatic code analysis for vulnerabilities

95%

Clean

mcp-scan (Snyk)Model Context Protocol security validation

95%

Skipped

Snyk (dep)Open source security scanning

50%

Skipped

Socket.devSupply chain security analysis

50%

Skipped

VirusTotalMulti-engine malware detection

50%

Skipped

CrowdStrikeAdvanced threat intelligence

50%

Skipped

OSV-ScannerOpen Source Vulnerability database check

50%

Skipped

OWASP Dep-Check

50%

Last scanned: May 20, 2026, 6:34 AM35.7s26 files scanned

SKILL.md

name:: xmtp-comms-guard
description:: Security middleware for all XMTP communications in EverClaw. Enforces guarded client usage with validation, integrity checks, and fail-closed security policies. Integrates approval flows for sensitive operations. Use when integrating XMTP messaging, configuring communication security, or auditing guarded client enforcement.

xmtp-comms-guard — Skill Integration Guide (V6)

Type: Critical Security Version: 6.0.0 Required peer dependencies: bagman, pii-guard, prompt-guard

Mandatory Usage

All XMTP communication MUST go through the guarded client:

import { createGuardedXmtpClient } from "xmtp-comms-guard";
const { client, middleware } = await createGuardedXmtpClient(rawClient, userWallet);

Raw @xmtp/client imports are blocked by ESLint rules and SkillGuard scan.

Three-Shift Integration

Three-Shift = EverClaw's standard approval flow with three options:

Approve — allow the action
Redact — downgrade/sanitize
Block — deny the action

Used for: peer revocation review, key rotation re-approval, introduction chain re-evaluation.

Enforcement Model

Enforcement is convention-based + build-time gates:

ESLint rule blocks @xmtp/client direct imports
SkillGuard scan detects raw client usage patterns
No runtime interception of raw imports (honestly documented)

See enforcement.md for full details.

Fail-Closed Conditions

The skill refuses to operate when:

Hash chain integrity check fails on startup
SQLCipher encryption check fails
Nonce cache detects replay
Unknown topic in message
Unknown sensitivity level
Message exceeds 64KB
Protocol version is not "6.0"
Peer not in registry or blocked

Threat Model

Covered in threat-model.md:

Malicious external agent → blocked by schema + checks
Compromised internal agent → blocked by middleware + SkillGuard gates
Host compromise → limited by Bagman + HMAC chain + fail-closed
Replay attacks → nonce cache (90s TTL) + hash chain
Data exfiltration → PII Guard + trust context rules

Related Skills

profbernardoj/three-shifts

tools

VerifiedTrustedCommunity

Cyclic shift execution engine. Plans tasks 3x daily (6 AM, 2 PM, 10 PM), decomposes them into granular steps, then executes via 15-minute cron cycles. Each cycle reads state files, picks the next step, executes it, writes results back. Errors are logged and skipped — never fatal. Planning uses Claude 4.6; execution uses GLM-5.

2SKILL.mdUpdated May 16, 2026

profbernardoj/three-shifts

profbernardoj/three-shifts

data-ai

VerifiedTrustedCommunity

Daily standup engine. Plans tasks 3x daily (6 AM, 2 PM, 10 PM) and delivers them for approval. Execution happens in the main session via direct conversation. Night shifts auto-approve carryover from earlier in the day.

2SKILL.mdUpdated May 12, 2026

profbernardoj/three-shifts

profbernardoj/super-helper

tools

VerifiedTrustedCommunity

A helpful utility skill for agents

2SKILL.mdUpdated May 12, 2026

profbernardoj/super-helper

profbernardoj/github-issues

development

VerifiedTrustedCommunity

Fetch and manage GitHub issues via the API

2SKILL.mdUpdated May 12, 2026

profbernardoj/github-issues

Download

For Claude Desktop. Download once, then upload the file in the app — no terminal needed.

Need help? View full Cowork setup guide →

Install manually

Choose your platform

# Clone the repo
git clone https://github.com/profbernardoj/androidclaw.org.git

# Copy into Claude Code skills folder (global)
cp -r androidclaw.org/skills/xmtp-comms-guard ~/.claude/skills/

Claude Code Skills — official skills path docs.

Repository

profbernardoj/androidclaw.org

2 stars

Compatible with

Claude Code

OpenAI Codex CLI

ChatGPT