Agent Communication
WarnAudited by ClawScan on May 10, 2026.
Overview
This is a coherent multi-agent messaging tool, but it exposes an unauthenticated agent communication server and unsafe shared-file paths that could let others spoof agents or alter files.
Install only if you need multi-agent messaging and can run it in a trusted environment. Before use, change the broker to localhost-only or firewall port 8765, add authentication, validate agent IDs and workspace keys, avoid sending sensitive data through it, and stop the server when not needed.
Findings (6)
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
Anyone who can reach port 8765 could impersonate agents, read queued messages for an agent ID, send or broadcast forged messages, and query agent status.
The broker listens on all interfaces and lets a client claim any agent_id; a client claiming an ID can receive queued messages for that agent, with no visible authentication, origin check, or allowlist.
HOST = "0.0.0.0" ... agent_id = msg.get("agent_id"); await self.register_agent(agent_id, websocket) ... for msg in self.message_queue[agent_id]: await websocket.send(json.dumps(msg))Bind to 127.0.0.1 by default, add authentication or signed agent registration, restrict allowed agent IDs, validate WebSocket origins, and use firewall/TLS controls for any non-local use.
A reachable client could cause the broker process to create or overwrite JSON files outside the intended skill data area where the process has permission.
Network-supplied agent_id and to values are used directly in filesystem paths. Values containing slashes, '..', or absolute paths can escape the intended data directories.
status_file = DATA_DIR / "status" / f"{agent_id}.json" ... inbox_dir = DATA_DIR / "messages" / msg["to"] / "inbox"Validate agent IDs with a strict safe pattern, reject path separators and absolute paths, resolve paths before writing, and enforce that all writes remain under the skill's data directory.
If an agent or user supplies an unsafe key, the workspace tool may read, overwrite, or delete JSON files outside the shared workspace.
The workspace key is used directly as a path for read/write/delete operations without normalization or containment checks.
data_file = WORKSPACE_DIR / f"{key}.json" ... with open(data_file, "w") ... data_file.unlink()Treat workspace keys as logical names only: allow only simple key characters, reject '..' and '/', resolve paths, and verify the final path stays under WORKSPACE_DIR before reading, writing, or deleting.
Forged or stale messages could become trusted coordination context and cause future agents to act on misleading instructions.
Messages are saved and queued for later delivery, so unverified sender content can persist and be reused by other agents.
await self.save_message(msg) ... self.message_queue[to_agent].append(msg)
Authenticate senders, record provenance, mark messages as untrusted until verified, expire old messages, and require human confirmation before agents act on high-impact received instructions.
The communication service may continue accepting connections and storing messages for as long as it is running.
The broker is designed to run indefinitely after the user starts it. This is purpose-aligned, but users should understand it remains active until stopped.
async with serve(broker.handle_connection, HOST, PORT): await asyncio.Future() # 永久运行
Run the broker only when needed, stop it when collaboration is finished, and avoid leaving it exposed on untrusted networks.
Manual unpinned installs can change over time and are harder to reproduce or audit.
The setup documentation suggests manual dependency and optional repository installation without a pinned package version or commit.
pip install websockets ... git clone https://github.com/DFshmily/agent-communication.git
Pin dependency versions, document trusted source locations, and prefer a reviewed install spec or lockfile.