ClawHub
Skill flagged — suspicious patterns detected

ClawHub Security flagged this skill as suspicious. Review the scan results before using.

Agent Communication

v0.1.1

支持Agent间消息传递、广播、状态同步和共享工作空间,提高多Agent团队协作效率并解决通信超时问题。

0· 389·2 current·2 all-time
by@dfshmily
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
VirusTotalVirusTotal
Suspicious
View report →
OpenClawOpenClaw
Benign
high confidence
Purpose & Capability
The name/description (Agent communication via WebSocket) align with the included scripts (broker, websocket_client, send, broadcast, status, workspace). No unrelated binaries, credentials, or external services are required by the code.
Instruction Scope
SKILL.md and scripts instruct running a local WebSocket server and clients and saving messages to a local data/ directory. The broker binds to 0.0.0.0:8765 (all interfaces) which is expected for a messaging service but can expose the service to the network — consider binding to localhost or adding firewall rules. Test scripts include a hard-coded sys.path insert pointing at an absolute '/root/.openclaw/...' path (test_websocket.py), which is an environment-specific assumption but not evidence of malicious behavior.
Install Mechanism
No install spec is embedded; runtime instructions ask to pip install the single dependency 'websockets'. This is low-risk and proportionate to the code's needs. There is no downloading of arbitrary archives or remote executables.
Credentials
The skill requests no environment variables or credentials. The code does not read secrets or external config; it only reads/writes local files under its data/ directory and templates/config.json. This is proportionate to its functionality.
Persistence & Privilege
The skill is not always-included and does not request elevated platform privileges. It writes only to its own data/ directory and does not modify other skills or global agent configuration.
Assessment
This skill appears to do what it says: a local WebSocket broker and client tools that keep messages on disk. Before installing or running: (1) run it in a trusted or isolated network or change the broker HOST from 0.0.0.0 to 127.0.0.1 if you do not want it reachable externally; (2) review and control access to the skill's data/ directory (message, status, workspace files are stored there); (3) install the 'websockets' dependency in a virtualenv to avoid affecting system Python; (4) be aware test_websocket.py uses an absolute '/root/.openclaw/...' path which may need adjustment in your environment; (5) note minor metadata/version inconsistencies in README/_meta vs registry metadata (harmless but worth checking the publisher). If you need the broker accessible beyond the host, place it behind appropriate network controls (firewall, auth proxy) — otherwise bind to localhost.

Like a lobster shell, security has layers — review code before you run it.

latestvk976pxabhthz9zdks7kwp333n1821tg5

License

MIT-0
Free to use, modify, and redistribute. No attribution required.
Termshttps://spdx.org/licenses/MIT-0.html

Comments