Ipv6 P2p
Security checks across static analysis, malware telemetry, and agentic risk
Overview
The P2P messaging purpose is coherent, but the artifacts describe automatic background peer discovery and incoming peer messages entering the chat without clear user controls.
Review this before installing if you do not want your agent reachable over a P2P network. Only enable discovery and inbound messaging if you understand the peer network exposure, can stop or disable the background service, and will treat all peer messages as untrusted unless you explicitly approve them.
Static analysis
No static analysis findings were reported for this release.
VirusTotal
VirusTotal findings are pending for this skill version.
Risk analysis
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
Messages from other agents could influence the conversation or the assistant’s next actions if they are not clearly treated as untrusted peer content.
External peer messages are automatically inserted into the chat context. The artifacts do not describe isolation, user approval before model use, or safeguards against treating peer content as trusted instructions.
Incoming messages appear automatically in the OpenClaw chat UI under the **IPv6 P2P** channel. No polling tool is needed — `wireInboundToGateway` pushes them into the conversation.
Require clear labeling and isolation for inbound peer messages, ask the user before acting on peer instructions, and provide allowlist/blocklist controls for peers.
Installing or running the plugin may cause the agent to advertise itself and communicate with peers periodically in the background.
This describes continuing background network behavior and exposed peer endpoints beyond a single user-invoked action, without clear opt-in, shutdown, or containment guidance in the artifacts.
On startup (after a configurable delay), the plugin fetches the bootstrap node list... A periodic gossip loop (default 10 min) re-announces to random known peers... Any node running the plugin also serves `/peer/announce` and `/peer/peers`
Add explicit user opt-in for discovery, document how to disable/stop the background service, and provide controls for bootstrap peers, gossip interval, and endpoint exposure.
The reviewed documents may not fully represent what the external package does at runtime.
The skill points to an external Node package, but no package source or lockfile is included in the reviewed artifacts, so the runtime implementation of the documented P2P behavior was not inspected.
install:
- kind: node
package: "@resciencelab/declaw"Verify the package source and version before installation, prefer pinned versions, and review the package code for network listeners, persistence, and message-handling behavior.