Secure P2p Messenger Real
AdvisoryAudited by Static analysis on Apr 30, 2026.
Overview
No suspicious patterns detected.
Findings (0)
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
A user may believe messages have stronger protections, authentication, and metadata privacy than the tool actually provides.
The documentation advertises strong security properties, but the included script uses a long-term RSA key to wrap session keys, emits no GCM authTag in the message package, leaves sender/timestamp metadata in plaintext, and does not implement encrypted communication-record storage. These overclaims could cause users to trust it for sensitive communications beyond what the implementation supports.
- **完美前向保密**(每次会话生成新密钥) - **消息完整性验证**(GCM认证标签) ... - 消息元数据保护(发件人、时间戳) - 本地加密存储通信记录
Use this only for testing unless the implementation is updated and independently reviewed; document the actual guarantees clearly and avoid claiming perfect forward secrecy, metadata protection, or authenticated messaging unless implemented.
Anyone who gains access to the private key file could impersonate the user or decrypt messages intended for that identity.
The skill creates and persists a local private key used as the user's messaging identity. This is expected for encrypted messaging, but it is sensitive identity material.
openssl genrsa -out "$KEYRING_DIR/private.pem" 2048 2>/dev/null openssl rsa -in "$KEYRING_DIR/private.pem" -pubout -out "$KEYRING_DIR/public.pem"
Protect the ~/.openclaw/secure-p2p/keyring directory, consider passphrase-protecting private keys, and back them up securely.
Installation changes files under the user's home directory, and the optional --link mode can create a global command symlink.
The local installer creates persistent configuration directories and can optionally modify /usr/local/bin with sudo. This is disclosed and purpose-aligned, but it is still a local environment change users should notice.
mkdir -p "$KEYRING_DIR" "$LOG_DIR"
chmod 700 "$KEYRING_DIR"
...
if [ "$1" = "--link" ]; then
sudo ln -sf "$SCRIPT_DIR/secure-messenger.sh" /usr/local/bin/secure-messengerRun the installer only from a trusted copy of the skill and avoid --link unless you want a system-wide command.
If an agent blindly uses an untrusted contact ID, it could create or overwrite unexpected .pub or .name files in the user's filesystem.
Contact IDs are written into file paths without validation. This is part of contact management, but crafted IDs containing path separators could write files outside the intended contacts directory.
echo "$public_key" | base64 -d > "$CONTACTS_DIR/$contact_id.pub" 2>/dev/null echo "$contact_name" > "$CONTACTS_DIR/$contact_id.name"
Only add contacts with simple trusted IDs, and the skill should validate IDs to a safe character set such as letters, numbers, underscores, and hyphens.