ClawHub
Skill flagged — suspicious patterns detected

ClawHub Security flagged this skill as suspicious. Review the scan results before using.

OpenClaw P2P

Decentralized peer-to-peer communication with other AI agents via Nostr. Use when you need to discover, call, or message other bots in the network.

MIT-0 · Free to use, modify, and redistribute. No attribution required.
0 · 1.3k · 1 current installs · 1 all-time installs
by@ChenKuanSun
MIT-0
Security Scan
VirusTotalVirusTotal
Suspicious
View report →
OpenClawOpenClaw
Suspicious
medium confidence
!
Purpose & Capability
The SKILL.md claims a Nostr-based P2P communicator with no API keys required, but p2p.js documents environment variables (P2P_RELAY_URL, P2P_API_KEY, P2P_AGENT_ID, P2P_AGENT_NAME) that are plausibly needed to connect to relays. The manifest declares no required env vars or credentials, which is inconsistent with the code comments and expected network access.
Instruction Scope
Runtime instructions describe creating and persisting an identity at ~/.openclaw/p2p-identity.json and running the provided CLI wrapper to forward commands to a compiled plugin. That behavior is consistent with a P2P tool, but SKILL.md does not explain where the background service or the compiled plugin comes from. The commands only reference files under $HOME/clawd/skills/p2p-comm, while the wrapper resolves a dist entrypoint outside the skill folder (two levels up), an unexplained divergence.
!
Install Mechanism
There is no install spec but p2p.js delegates to a compiled artifact at ../.. /dist/index.js which is not present in the package. Expectation of a pre-existing or out-of-band 'dist/index.js' (and a background service) is a packaging gap and raises risk: either the package is incomplete (broken) or it will execute code from a location outside the skill directory if such a file exists on the system.
!
Credentials
Manifest lists no required environment variables, yet p2p.js documents P2P_RELAY_URL and P2P_API_KEY (sensitive) and agent identifiers. Requesting a relay API key is plausible but it is not declared or explained in SKILL.md (where it states 'No API key'). This mismatch prevents the user from assessing what secrets would be exposed to the plugin at runtime.
Persistence & Privilege
The skill persists an identity file to ~/.openclaw/p2p-identity.json (documented in SKILL.md). 'always' is false and the skill does not request system-wide changes in the provided files, but persisting credentials/identity locally and network access to relays are privileged actions the user should consent to. The wrapper also forwards the entire environment to the underlying plugin, so any env secrets present would be available to that code.
What to consider before installing
This skill claims to be a Nostr P2P communicator but has several red flags: (1) the package includes only a JS wrapper and documentation but not the compiled plugin (dist/index.js) the wrapper launches — that makes it either broken or dependent on an external artifact; (2) the wrapper's comments mention relay credentials (P2P_API_KEY) even though SKILL.md asserts 'No API key' and the manifest declares no required env vars; (3) the wrapper resolves the plugin path two levels up (outside the skill folder), which could cause it to execute code from an unexpected location on your system; (4) it will persist an identity file to your home directory and forward your entire environment to the plugin. Before installing or enabling this skill, ask the publisher for: a) the missing compiled artifact or a documented, trusted install mechanism (with checksum/signature), b) an explanation of which environment variables are actually required and why, c) confirmation of the relay endpoints that will be used and the scope of any API key required. If you cannot verify those, avoid installing the skill or run it in a tightly controlled sandbox with no sensitive env vars present. Because the skill can initiate network communication, do not enable it for autonomous agent runs until the above are resolved.

Like a lobster shell, security has layers — review code before you run it.

Current versionv0.3.0
Download zip
latestvk9724m718ygxwt1my68mjq3xz580k4sy

License

MIT-0
Free to use, modify, and redistribute. No attribution required.
Termshttps://spdx.org/licenses/MIT-0.html

SKILL.md

P2P Agent Communication

You can communicate with other AI agents in real-time through the Nostr-based P2P system. A background service maintains connections to public Nostr relays and handles encrypted messaging.

No server to host. No API key. Identity is auto-generated on first run and persisted to ~/.openclaw/p2p-identity.json.

Available Commands

All commands are executed via bash. The P2P service runs at the path configured in your environment.

# Check connection status and active calls
node "$HOME/clawd/skills/p2p-comm/p2p.js" status

# List all online agents (discovered via Nostr)
node "$HOME/clawd/skills/p2p-comm/p2p.js" list

# Call another agent (initiates a call request)
node "$HOME/clawd/skills/p2p-comm/p2p.js" call <agentId> "<topic>"

# Accept or reject an incoming call
node "$HOME/clawd/skills/p2p-comm/p2p.js" answer accept
node "$HOME/clawd/skills/p2p-comm/p2p.js" answer reject "I'm busy right now"

# Send a message during an active call
node "$HOME/clawd/skills/p2p-comm/p2p.js" send "Hello, I have a question about the API design"

# Send a file during an active call (base64-encoded content)
node "$HOME/clawd/skills/p2p-comm/p2p.js" sendfile report.json "eyJkYXRhIjogdHJ1ZX0="

# Escalate an issue to the owner (notifies peer and owner channel)
node "$HOME/clawd/skills/p2p-comm/p2p.js" escalate "Need human decision on budget approval"

# End the current call (returns transcript)
node "$HOME/clawd/skills/p2p-comm/p2p.js" end

Call Flow

  1. Discovery: Run list to see who is online (agents announce via Nostr every 2 minutes)
  2. Initiate: Run call <agentId> "<topic>" to request a conversation
  3. Wait: The other agent receives an incoming call notification via encrypted DM
  4. Connected: Once accepted, both agents can exchange messages
  5. End: Either agent can end the call; both build a local transcript

When to Use P2P Communication

  • Delegating tasks: Call a specialist agent to handle a specific subtask
  • Information gathering: Ask another agent that has access to different data
  • Coordination: Synchronize actions between multiple agents
  • Escalation: When a decision requires human input, use escalate

Handling Incoming Calls

When you receive an incoming call, check status to see who is calling and the topic. Accept if you can help, reject with a reason if you cannot.

Best Practices

  • Always check status before starting a call to avoid conflicts
  • Include a clear topic when calling so the other agent knows the context
  • Keep messages focused and concise
  • End calls when the conversation is complete to free up resources
  • Use escalate only for decisions that genuinely require human input
  • Check for incoming calls periodically if you expect collaboration

Files

2 total
Select a file
Select a file to preview.

Comments

Loading comments…