ClawHub
Skill flagged — suspicious patterns detected

ClawHub Security flagged this skill as suspicious. Review the scan results before using.

0x0 Messenger

v1.1.1

Send and receive P2P messages using disposable PINs. No servers, no accounts. For agent-to-agent messaging, approval flows, and notifications.

0· 717·1 current·1 all-time
byTiida Tech@eijiac24

Install

OpenClaw Prompt Flow

Install with OpenClaw

Best for remote or guided setup. Copy the exact prompt, then paste it into OpenClaw for eijiac24/0x0-messenger.

Previewing Install & Setup.
Prompt PreviewInstall & Setup
Install the skill "0x0 Messenger" (eijiac24/0x0-messenger) from ClawHub.
Skill page: https://clawhub.ai/eijiac24/0x0-messenger
Keep the work scoped to this skill only.
After install, inspect the skill metadata and help me finish setup.
Required binaries: c0x0, node
Use only the metadata you can verify from ClawHub; do not invent missing requirements.
Ask before making any broader environment changes.

Command Line

CLI Commands

Use the direct CLI path if you want to install manually and keep every step visible.

OpenClaw CLI

Bare skill slug

openclaw skills install 0x0-messenger

ClawHub CLI

Package manager switcher

npx clawhub@latest install 0x0-messenger
Security Scan
VirusTotalVirusTotal
Benign
View report →
OpenClawOpenClaw
Benign
high confidence
Purpose & Capability
Name/description match the files and commands. Requiring node and the c0x0 CLI is expected for a CLI/web P2P messenger. Declared binaries, CLI commands, local storage (~/.0x0), and Hyperswarm networking all align with the stated purpose.
Instruction Scope
SKILL.md instructs installing the package and using the provided CLI commands (init, pin, send, listen, pipe, web, etc.). Instructions reference only the local config path (~/.0x0) and normal network operations for P2P; they do not ask the agent to read unrelated system files or exfiltrate arbitrary data. The 'pipe' mode explicitly exposes a JSON stdin/stdout interface for automation, which is a legitimate agent integration point.
Install Mechanism
The skill bundle contains full source but provides no automated install spec in the registry; SKILL.md tells users to run `npm install -g @0x0contact/c0x0`. Installing a global npm package will download and run third-party code (dependencies include hyperswarm, express, ws). This is expected for a CLI tool but is a moderate-risk operation by nature — verify the npm package provenance before installing.
Credentials
The skill requests no environment variables or unrelated credentials. It stores data locally under ~/.0x0. It does perform network operations (Hyperswarm DHT, optional web UI exposed to LAN) which are required for its P2P function; the use of network bootstrap/discovery is proportionate but will reveal the host's IP to peers/bootstrap nodes as expected for P2P.
Persistence & Privilege
No 'always: true' flag, no special privileges, and the skill does not modify other skills or system-wide agent settings. It runs as a normal user-space CLI/web server when invoked.
Scan Findings in Context
[NO_ISSUES_DETECTED] expected: Static pre-scan reported no injection signals. The code does perform expected network and local storage operations for a P2P messenger (Hyperswarm, express, ws).
Assessment
This appears to be a legitimate P2P CLI messenger. Before installing: (1) verify the npm package and publisher (@0x0contact) on the npm registry and confirm the homepage/repository match your expectations; (2) be aware that installing a global npm package executes third‑party code on your machine; (3) using the tool will open P2P network connections (Hyperswarm) and optionally a local web server which can be exposed to your LAN — only use these features with trusted peers; (4) the 'pipe' mode lets automation/agents send messages out — avoid connecting agent outputs to untrusted external peers if you must keep data private; (5) review or audit the package source before granting it long‑term use. If you want a lower-risk trial, run the CLI in a disposable VM/container or inspect the included source files locally instead of installing globally.
test/run.mjs:48
Shell command execution detected (child_process).
Patterns worth reviewing
These patterns may indicate risky behavior. Check the VirusTotal and OpenClaw results above for context-aware analysis before installing.

Like a lobster shell, security has layers — review code before you run it.

Runtime requirements

📡 Clawdis
Binsc0x0, node
latestvk972xyr6rbsx4hgmkjh9572tfx82se8p
717downloads
0stars
3versions
Updated 14h ago
v1.1.1
MIT-0
Tiida Tech@eijiac24
latest
Download

0x0 Messenger

Install once: npm install -g @0x0contact/c0x0 and c0x0 init

Check your identity

c0x0 whoami          # your number + active PINs

Create a PIN and share it

c0x0 pin new --label "deploy-bot"     # creates e.g. "a3f9"
c0x0 pin new --expires 1h             # auto-expires after 1 hour
c0x0 pin new --once                   # expires after first message received

Share as: 0x0://0x0-816-8172-8198/a3f9

Send a message

c0x0 send 0x0-293-4471-0038 a3f9 "build passed, ready to deploy"

Queues for 72h if peer is offline.

Interactive channel (stdin/stdout JSON)

c0x0 pipe 0x0-293-4471-0038 a3f9

Send:

{"type": "message", "content": "deploy to prod? (yes/no)"}
{"type": "disconnect"}

Receive:

{"type": "connected", "peer": "0x0-293-4471-0038"}
{"type": "message", "from": "0x0-293-4471-0038", "content": "yes"}

Listen for incoming messages

c0x0 listen          # waits on all active PINs, emits JSON events
c0x0 inbox --json    # check inbox without connecting
c0x0 read a3f9       # read message history for a PIN

Receive from anyone (public PIN)

c0x0 pin new --public --label "inbox"   # share this PIN openly
c0x0 requests                            # list incoming threads
c0x0 approve <shortKey> "welcome!"       # reply → private channel created

Contacts

c0x0 contact add 0x0://0x0-293-4471-0038/a3f9
c0x0 contact list

Revoke when done

c0x0 pin revoke a3f9

Comments

Loading comments...