ClawHub
Skill flagged — suspicious patterns detected

ClawHub Security flagged this skill as suspicious. Review the scan results before using.

0x0 Messenger

Send and receive P2P messages using disposable PINs. No servers, no accounts. For agent-to-agent messaging, approval flows, and notifications.

MIT-0 · Free to use, modify, and redistribute. No attribution required.
0 · 417 · 1 current installs · 1 all-time installs
byTiida Tech@EijiAC24
MIT-0
Security Scan
VirusTotalVirusTotal
Benign
View report →
OpenClawOpenClaw
Benign
high confidence
Purpose & Capability
Name/description match the files and commands. Requiring node and the c0x0 CLI is expected for a CLI/web P2P messenger. Declared binaries, CLI commands, local storage (~/.0x0), and Hyperswarm networking all align with the stated purpose.
Instruction Scope
SKILL.md instructs installing the package and using the provided CLI commands (init, pin, send, listen, pipe, web, etc.). Instructions reference only the local config path (~/.0x0) and normal network operations for P2P; they do not ask the agent to read unrelated system files or exfiltrate arbitrary data. The 'pipe' mode explicitly exposes a JSON stdin/stdout interface for automation, which is a legitimate agent integration point.
Install Mechanism
The skill bundle contains full source but provides no automated install spec in the registry; SKILL.md tells users to run `npm install -g @0x0contact/c0x0`. Installing a global npm package will download and run third-party code (dependencies include hyperswarm, express, ws). This is expected for a CLI tool but is a moderate-risk operation by nature — verify the npm package provenance before installing.
Credentials
The skill requests no environment variables or unrelated credentials. It stores data locally under ~/.0x0. It does perform network operations (Hyperswarm DHT, optional web UI exposed to LAN) which are required for its P2P function; the use of network bootstrap/discovery is proportionate but will reveal the host's IP to peers/bootstrap nodes as expected for P2P.
Persistence & Privilege
No 'always: true' flag, no special privileges, and the skill does not modify other skills or system-wide agent settings. It runs as a normal user-space CLI/web server when invoked.
Scan Findings in Context
[NO_ISSUES_DETECTED] expected: Static pre-scan reported no injection signals. The code does perform expected network and local storage operations for a P2P messenger (Hyperswarm, express, ws).
Assessment
This appears to be a legitimate P2P CLI messenger. Before installing: (1) verify the npm package and publisher (@0x0contact) on the npm registry and confirm the homepage/repository match your expectations; (2) be aware that installing a global npm package executes third‑party code on your machine; (3) using the tool will open P2P network connections (Hyperswarm) and optionally a local web server which can be exposed to your LAN — only use these features with trusted peers; (4) the 'pipe' mode lets automation/agents send messages out — avoid connecting agent outputs to untrusted external peers if you must keep data private; (5) review or audit the package source before granting it long‑term use. If you want a lower-risk trial, run the CLI in a disposable VM/container or inspect the included source files locally instead of installing globally.
test/run.mjs:48
Shell command execution detected (child_process).
Patterns worth reviewing
These patterns may indicate risky behavior. Check the VirusTotal and OpenClaw results above for context-aware analysis before installing.

Like a lobster shell, security has layers — review code before you run it.

Current versionv1.1.1
Download zip
latestvk972xyr6rbsx4hgmkjh9572tfx82se8p

License

MIT-0
Free to use, modify, and redistribute. No attribution required.
Termshttps://spdx.org/licenses/MIT-0.html

Runtime requirements

📡 Clawdis
Binsc0x0, node

SKILL.md

0x0 Messenger

Install once: npm install -g @0x0contact/c0x0 and c0x0 init

Check your identity

c0x0 whoami          # your number + active PINs

Create a PIN and share it

c0x0 pin new --label "deploy-bot"     # creates e.g. "a3f9"
c0x0 pin new --expires 1h             # auto-expires after 1 hour
c0x0 pin new --once                   # expires after first message received

Share as: 0x0://0x0-816-8172-8198/a3f9

Send a message

c0x0 send 0x0-293-4471-0038 a3f9 "build passed, ready to deploy"

Queues for 72h if peer is offline.

Interactive channel (stdin/stdout JSON)

c0x0 pipe 0x0-293-4471-0038 a3f9

Send:

{"type": "message", "content": "deploy to prod? (yes/no)"}
{"type": "disconnect"}

Receive:

{"type": "connected", "peer": "0x0-293-4471-0038"}
{"type": "message", "from": "0x0-293-4471-0038", "content": "yes"}

Listen for incoming messages

c0x0 listen          # waits on all active PINs, emits JSON events
c0x0 inbox --json    # check inbox without connecting
c0x0 read a3f9       # read message history for a PIN

Receive from anyone (public PIN)

c0x0 pin new --public --label "inbox"   # share this PIN openly
c0x0 requests                            # list incoming threads
c0x0 approve <shortKey> "welcome!"       # reply → private channel created

Contacts

c0x0 contact add 0x0://0x0-293-4471-0038/a3f9
c0x0 contact list

Revoke when done

c0x0 pin revoke a3f9

Files

49 total
Select a file
Select a file to preview.

Comments

Loading comments…