Ipv6 P2p
v0.1.3Send/receive direct encrypted P2P messages between OpenClaw agents using Yggdrasil or ULA IPv6 addresses.
⭐ 0· 261·0 current·0 all-time
byYilin@jing-yilin
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
OpenClaw
Suspicious
medium confidencePurpose & Capability
The name/description (Yggdrasil/IPv6 P2P messaging) matches the instructions (peer discovery, signed messages, gossip). However SKILL.md contains an install metadata entry (node package "@resciencelab/declaw") while the registry manifest lists no install spec — mismatch between claimed runtime dependency and the registry. Also the skill implies it will sign messages with Ed25519 keys but does not declare where keys come from or how they are managed.
Instruction Scope
The runtime instructions direct the agent to fetch a remote bootstrap list and POST /peer/announce to remote nodes, fan-out to other peers, run a periodic gossip loop, and serve /peer endpoints locally. Those actions will cause network traffic to external endpoints and can expose the agent's P2P address and public key. While these actions are expected for a P2P feature, the SKILL.md gives the agent broad discretion to announce and communicate with arbitrary peers and does not clarify consent, logging, or key storage — increasing the chance of unintended data leakage or persistent network activity.
Install Mechanism
No install spec is present in the registry manifest (skill marked instruction-only), but SKILL.md includes install metadata pointing to a Node package (@resciencelab/declaw). This inconsistency is problematic: either the skill depends on an external package that won't be installed automatically, or an installation step is missing/undeclared. Both possibilities are a red flag because an undeclared install step could mean required code won't run or could be performed ad-hoc without clear review.
Credentials
The skill requests no environment variables or credentials (good), but it requires Ed25519 signing and TOFU key caching. SKILL.md and references do not say how keys are generated, stored, or protected (no config paths declared). Absence of declared secrets is proportional to the stated purpose, but the missing key management details are a gap that should be clarified before trust.
Persistence & Privilege
The skill describes running a startup announce and a periodic gossip loop (every 10 minutes) and serving HTTP endpoints. Although 'always' is false, the skill expects to maintain ongoing network presence and perform background announcements. Combined with autonomous model invocation being allowed, this increases the operational blast radius (periodic external network calls and listening on ports) and requires explicit user consent and clear operational controls that are not documented here.
What to consider before installing
This skill intends to run a peer-discovery and P2P service that will contact external bootstrap endpoints, announce your agent's address/public key, and serve endpoints to peers. Before installing, ask the publisher these questions: (1) Will the '@resciencelab/declaw' Node package be installed automatically? If so, provide the exact install source (registry or GitHub release). (2) Where and how are Ed25519 keys generated, stored, and protected? Are persistent keys written to disk and to which path? (3) Which remote endpoints will be contacted (confirm the bootstrap URL and any fallback addresses) and can discovery/gossip be disabled or limited? (4) Does the agent open a listening port, and can you restrict or opt out of listening? If you cannot verify the package source and key/storage behavior, run this in an isolated environment or decline installation. Because the registry and SKILL.md disagree about installation, treat the skill as untrusted until the author clarifies those gaps.Like a lobster shell, security has layers — review code before you run it.
latestvk97c8aq516m3sttvytg1wf377h827x4b
License
MIT-0
Free to use, modify, and redistribute. No attribution required.