Openclaw Mesh
ReviewAudited by ClawScan on May 13, 2026.
Overview
The skill appears to do what it claims—connect OpenClaw gateways over Tailscale—but it intentionally enables cross-agent messaging and token-based gateway access that should only be used in a trusted private tailnet.
Install this only if you want trusted OpenClaw gateways in the same private Tailscale tailnet to communicate. Configure a strong shared secret, use least-privilege gateway tokens via environment variables, restrict `allowAgents`, and ensure `/mesh/hello` and `/mesh/send` are not reachable from the public internet.
Findings (5)
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
A trusted or compromised tailnet peer with the shared secret could obtain a session token and send messages to locally allowed agents.
The mesh intentionally lets OpenClaw gateways exchange messages, and peer identity is not independently verified beyond the shared secret and Tailscale network controls.
peer 的 `nodeId` 由对方自我声明,本机不做额外校验。安全边界依赖 Tailscale 网络层访问控制
Use only in a private Tailscale tailnet, restrict access with Tailscale ACLs, keep `/mesh/hello` and `/mesh/send` off the public internet, and rotate the shared secret if membership changes.
If the gateway token or shared secret is over-privileged or leaked, another node could gain more access to local agents than intended.
The plugin requires a local gateway token and shared mesh secret to proxy cross-node agent calls, which is expected for this integration but sensitive.
"MESH_GATEWAY_TOKEN", "description": "Local gateway auth token used for mesh proxy calls (least-privilege recommended)"
Use environment-variable references, least-privilege gateway tokens, narrow `allowAgents`, and rotate tokens/secrets regularly.
Authorized peers can prompt allowed local agents without a separate per-message user confirmation, which may trigger downstream agent behavior depending on that agent's tools.
An authenticated `/mesh/send` request can cause the plugin to call a local OpenClaw agent using the configured gateway token. The code applies `allowAgents` and uses `execFile`, but this is still high-impact delegated action.
"gateway", "call", "--url", localUrl, "--token", session.meshToken, "--timeout", String(timeoutMs), "--expect-final", "--json", "agent"
Keep `allowAgents` as small as possible, avoid allowing highly privileged agents, set reasonable timeouts, and monitor mesh usage.
The plugin depends on and runs local `tailscale` and `openclaw` binaries while enabled.
The plugin executes the local Tailscale CLI for peer discovery. This is expected for the stated purpose and is not shell-based, but users should know local commands are run.
({ stdout } = await execFileAsync(bin, ["status", "--json"]));Install only on systems where those binaries are trusted and keep them updated.
While enabled, it periodically checks Tailscale peers and may probe their `/health` endpoints.
The plugin starts a recurring background discovery loop. This is disclosed by the discovery interval configuration and fits the mesh purpose.
setInterval(() => { void runDiscoveryCycle(store, logger, config); }, interval);Disable the plugin, increase the discovery interval, or set probing off if continuous discovery is not desired.