ClawHub
Skill flagged — suspicious patterns detected

ClawHub Security flagged this skill as suspicious. Review the scan results before using.

Fleet Communication System

Enables real-time text messaging and broadcasting between multiple OpenClaw nodes across machines for coordinated fleet operations.

MIT-0 · Free to use, modify, and redistribute. No attribution required.
0 · 277 · 2 current installs · 2 all-time installs
by@dagangtj
MIT-0
Security Scan
VirusTotalVirusTotal
Suspicious
View report →
OpenClawOpenClaw
Suspicious
medium confidence
Purpose & Capability
Name/description (fleet-wide messaging) align with the code and CLI: the files implement an HTTP message bus, endpoints for send/broadcast/read/register/status, and a dashboard. The ability set is coherent with the stated purpose.
Instruction Scope
SKILL.md gives clear instructions to start the bus and use the CLI; it documents FLEET_NODE_ID, FLEET_BUS_URL and FLEET_BUS_PORT which the CLI/server use. Minor mismatch: the code reads FLEET_DATA_DIR (to store messages/nodes) but SKILL.md does not mention it. The runtime instructions do not ask the agent to read unrelated system files or secrets.
Install Mechanism
No install spec (instruction-only) and included JS files are executed directly by node. This is a low-risk install model in terms of arbitrary remote downloads.
!
Credentials
The skill requests no credentials, which is consistent with a simple local bus, but the server binds to '0.0.0.0' and responds with Access-Control-Allow-Origin: '*' — exposing endpoints to the network without authentication. That lack of access control is disproportionate to the sensitivity of cross-node task messages. Also FLEET_DATA_DIR is used by code but not documented in SKILL.md.
Persistence & Privilege
The skill does not request always:true, does not modify other skills, and has no special persistence claims. It writes message and node JSON files under its data directory, which is normal for a local bus.
What to consider before installing
This skill is functionally coherent (it creates a lightweight HTTP message bus and CLI), but it is permissive and lacks access controls. Before installing or running: - Be aware the server binds to 0.0.0.0 (all interfaces) and sets CORS to '*' — by default it will be reachable from the network and from browsers on other hosts. If you only want local access, set FLEET_BUS_PORT and bind the process to 127.0.0.1 or modify the code to listen on localhost. - Add authentication/authorization: consider requiring a shared token or mTLS so arbitrary peers cannot register, read messages, or push tasks. Without this, malicious network peers could send commands or exfiltrate messages. - Protect the data directory: messages.jsonl and nodes.json are written to disk under the skill data dir (FLEET_DATA_DIR). If these contain sensitive content, ensure file permissions and backups are appropriate. - Document and configure FLEET_DATA_DIR: the code uses this env var but SKILL.md doesn't mention it — set it explicitly if you want data kept outside the skill bundle. - Review any agents that act on received 'task' messages: if other nodes automatically execute tasks received via this bus, the lack of auth creates a command-and-control risk. Ensure receiving agents validate/authorize tasks before executing. - If you want to expose the bus across machines, run it behind a firewall, VPN (e.g., Tailscale as the diagram suggests), or an authenticated reverse proxy to limit who can connect. Given these issues, consider this skill suspicious until you harden it (bind to localhost, add auth, restrict CORS) or accept the network exposure intentionally.

Like a lobster shell, security has layers — review code before you run it.

Current versionv1.2.0
Download zip
communicationvk974m00fpbcq89f38trz99yy7h824sg3fleetvk974m00fpbcq89f38trz99yy7h824sg3latestvk974m00fpbcq89f38trz99yy7h824sg3multi-agentvk974m00fpbcq89f38trz99yy7h824sg3

License

MIT-0
Free to use, modify, and redistribute. No attribution required.
Termshttps://spdx.org/licenses/MIT-0.html

SKILL.md

Fleet Communication Skill

Multi-agent communication system for OpenClaw fleets. Enables real-time messaging between multiple OpenClaw instances running on different machines.

When to use

  • User asks agents to communicate with each other
  • Multi-machine OpenClaw setups need coordination
  • Task delegation between fleet nodes
  • Broadcasting announcements to all nodes

Setup

The skill runs a lightweight HTTP message bus on the coordinator node (default port 18800).

Start the bus (on coordinator node)

node fleet-comm/fleet_bus.js

Environment

  • FLEET_NODE_ID — This node's ID (default: 00)
  • FLEET_BUS_URL — URL of the message bus (default: http://127.0.0.1:18800)
  • FLEET_BUS_PORT — Port to run bus on (default: 18800)

Commands

Send a message to a specific node

node fleet-comm/fleet_cli.js send <target_node> <message>
# Example: node fleet-comm/fleet_cli.js send 01 "start bounty scan"

Broadcast to all nodes

node fleet-comm/fleet_cli.js broadcast <message>

Read messages for this node

node fleet-comm/fleet_cli.js read

Check bus status

node fleet-comm/fleet_cli.js status

Architecture

  00 (Mac Mini)          01 (WSL2)           02 (Windows)
  ┌──────────┐          ┌──────────┐        ┌──────────┐
  │ Fleet Bus │◄────────│ CLI/Poll │        │ CLI/Poll │
  │ :18800   │─────────►│          │        │          │
  └──────────┘          └──────────┘        └──────────┘
       ▲                                         │
       └─────────────────────────────────────────┘
                    Tailscale Network

Message Format

{
  "from": "00",
  "to": "01",       // or "all" for broadcast
  "msg": "message text",
  "type": "task|info|alert|result",
  "ts": 1234567890
}

Free vs Pro (future)

  • Free: basic messaging, broadcast, status
  • Pro: encrypted messages, web dashboard, task queue, auto-discovery, message persistence

Files

4 total
Select a file
Select a file to preview.

Comments

Loading comments…