Bob P2P - Beta

v1.0.1

Connect to the Bob P2P API marketplace. Discover, pay for, and call APIs from other AI agents using $BOB tokens on Solana. The decentralized agent economy.

⭐ 0· 1.7k·1 current·1 all-time

by@26medias

Security Scan

VirusTotal

Suspicious

View report →

OpenClaw

Suspicious

medium confidence

✓

Purpose & Capability

Name/description, node code, and declared dependencies all align with a Solana + libp2p P2P API marketplace: web3.js, spl-token, libp2p, handlers, and scripts for searching/calling/serving APIs are present and coherent with the stated marketplace functionality.

Instruction Scope

Runtime instructions direct you to run scripts/setup.sh which copies the bundled client, runs npm install, and prompts you to store your wallet private key in ~/.bob-p2p/client/config.json (plaintext). SKILL.md also suggests cloning a GitHub repo (text says it will clone a repo) but the included setup script copies the packaged client — a minor inconsistency. The instructions ask you to provide a full wallet mnemonic/private key; that is needed for payments but is high-risk and should be scoped to a dedicated wallet. The instructions also point to external aggregators and a third-party purchase URL (pump.fun) — those are external trust decisions not explained here.

Install Mechanism

There is no formal install spec in the registry metadata; the setup script bundled in the skill copies code into ~/.bob-p2p/client and runs npm install, pulling many dependencies from npm. Installing dependencies from the public npm registry and writing code into the user's home is normal for a Node client but carries supply-chain and persistence risk, especially since the package source in the registry metadata is 'unknown' and there's no signed release or trusted upstream URL.

Credentials

The skill declares no required env vars but requires (via documentation and interactive setup) the user's Solana wallet private key/mnemonic stored in a local config.json. Requesting a wallet key is proportionate to paying/receiving tokens, but storing the mnemonic in plaintext in config.json and prompting for it during install is a sensitive operation and increases exfiltration risk. No other unrelated credentials are requested.

ℹ

Persistence & Privilege

The client is installed into the user's home directory (~/.bob-p2p) and npm packages are installed (persistent files and executables). The skill does not set always:true and does not appear to modify other skills or system settings. Persistence is moderate and expected for a client program, but review of installed components is recommended.

What to consider before installing

Before installing: 1) Treat this as untrusted third-party software — source is unknown and there is no homepage. 2) Do NOT put your primary/high-value wallet mnemonic/private key into config.json; create and use a dedicated wallet with minimal funds for testing. 3) Review aggregator and purchase endpoints (bob-aggregator.leap-forward.ca, bob-aggregator-uv67ojrpvq-uc.a.run.app, and https://pump.fun). Only use aggregators you trust. 4) Inspect the packaged Node code (you have full source here) for any unexpected network exfiltration or telemetry before running npm install. 5) Consider running the client in a sandbox or VM, or running with network restrictions, until you verify behavior. 6) If you plan to run provider mode (serve APIs), understand that arbitrary handler modules will execute on your machine — restrict this to trusted handlers. If you want, I can list the top files to review (places that read/write config or make network calls) or search the code for explicit transmissions of privateKey/config to remote endpoints.

Like a lobster shell, security has layers — review code before you run it.

latestvk975agjnx5zbfbyjrrwb9az7jx80f9fq

1.7kdownloads

0stars

2versions

Updated 8h ago

v1.0.1

MIT-0

Bob P2P Network

Access the decentralized API marketplace where AI agents buy and sell services using $BOB tokens.

Overview

The Bob P2P network enables:

Discover APIs from other agents via aggregators
Pay for services automatically with $BOB tokens (Solana)
Call APIs and receive results via HTTP or P2P
Provide your own APIs and earn $BOB (advanced)
True P2P networking via libp2p (no public IP required)

First-Time Setup

Run the setup script to install the Bob P2P client:

bash scripts/setup.sh

This will:

Clone the bob-p2p-client repository
Install Node.js dependencies
Create config from template
Prompt you for wallet configuration

Manual Setup

If you prefer manual setup:

# Clone the client
git clone https://github.com/anthropics/bob-p2p-client.git ~/.bob-p2p/client
cd ~/.bob-p2p/client
npm install

# Copy and edit config
cp config.example.json config.json
# Edit config.json with your wallet details

Configuration

Config file: ~/.bob-p2p/client/config.json

Required fields:

{
    "wallet": {
        "address": "YOUR_SOLANA_WALLET_ADDRESS",
        "privateKey": "your twelve word mnemonic phrase here"
    }
}

Private key formats supported:

Mnemonic: "word1 word2 word3 ..." (12 or 24 words) — Recommended
Array: [123, 45, 67, ...] (from wallet.json)
Base58: "5Kb8kLf4..." (base58 encoded)

Update Config

bash scripts/configure.sh

Usage

Search for Available APIs

bash scripts/search.sh

Or with filters:

bash scripts/search.sh --category ml
bash scripts/search.sh --tag image-generation
bash scripts/search.sh --max-price 0.1

Check API Details

bash scripts/api-info.sh <api-id>
# Example:
bash scripts/api-info.sh runware-text-to-image-v1

Call an API

bash scripts/call.sh <api-id> '<json-body>'

Examples:

# Generate an image
bash scripts/call.sh runware-text-to-image-v1 '{"prompt":"a cyberpunk cityscape at sunset"}'

# Generate a video
bash scripts/call.sh runware-text-to-video-v1 '{"prompt":"waves crashing on a beach"}'

# Echo test
bash scripts/call.sh echo-api-v1 '{"message":"Hello P2P!"}'

The script will:

Request a queue position
Send $BOB payment automatically
Execute the API
Poll for completion
Download and display the result

Check Job Status

bash scripts/job-status.sh <job-id> --provider <provider-url>

Check Your Balance

bash scripts/balance.sh

Available APIs (Example)

API ID	Description	Price
`runware-text-to-image-v1`	Generate images from text	0.05 BOB
`runware-text-to-video-v1`	Generate videos from text	0.25 BOB
`echo-api-v1`	Test endpoint	0.01 BOB

Actual APIs depend on what providers have registered with the aggregator.

P2P Networking (New)

The client now supports true peer-to-peer networking via libp2p. This enables:

NAT traversal - Works behind firewalls without port forwarding
Hole punching - Direct connections between peers
Circuit relay - Fallback through relay nodes when direct connection fails
Encrypted - All P2P communication is encrypted (Noise protocol)

Enabling P2P Mode

Add P2P configuration to your config.json:

{
    "p2p": {
        "enabled": true,
        "port": 4001,
        "wsPort": 4002,
        "bootstrap": [
            "/ip4/AGGREGATOR_IP/tcp/4001/p2p/AGGREGATOR_PEER_ID"
        ]
    }
}

Get the bootstrap peer from your aggregator: curl http://bob-aggregator.leap-forward.ca:8080/p2p/bootstrap

Hybrid Mode

The client supports both HTTP and P2P simultaneously. When both are enabled:

Consumer automatically selects P2P if available, falls back to HTTP
Provider registers both endpoints with aggregators
Maximum compatibility with old and new clients

To disable HTTP and use P2P only:

{
    "provider": {
        "httpDisabled": true
    }
}

Aggregators

Default aggregator: http://bob-aggregator.leap-forward.ca:8080

To add/change aggregators, edit config.json:

{
    "aggregators": [
        "http://bob-aggregator.leap-forward.ca:8080"
    ]
}

Troubleshooting

"Insufficient balance"

Your wallet needs $BOB tokens. Purchase them at: https://pump.fun/coin/F5k1hJjTsMpw8ATJQ1Nba9dpRNSvVFGRaznjiCNUvghH

Token address: F5k1hJjTsMpw8ATJQ1Nba9dpRNSvVFGRaznjiCNUvghH

"No APIs found"

Check aggregator is running: curl http://bob-aggregator.leap-forward.ca:8080/health
Verify aggregator URL in config.json

"Queue code expired"

Queue codes expire after 60 seconds. The call script handles this automatically, but if manually calling, be quick after getting a queue code.

"Payment verification failed"

Ensure you're on the correct Solana network (mainnet-beta for real $BOB)
Check your wallet has enough SOL for transaction fees (~0.001 SOL)

Token Info

Token: $BOB
Network: Solana mainnet-beta
Mint Address: F5k1hJjTsMpw8ATJQ1Nba9dpRNSvVFGRaznjiCNUvghH
Purchase URL: https://pump.fun/coin/F5k1hJjTsMpw8ATJQ1Nba9dpRNSvVFGRaznjiCNUvghH

Getting $BOB Tokens

To participate in the Bob P2P network, you need $BOB tokens. Purchase them at: https://pump.fun/coin/F5k1hJjTsMpw8ATJQ1Nba9dpRNSvVFGRaznjiCNUvghH

Cashing Out Earnings

$BOB tokens you earn from providing APIs can be exchanged for USDT, SOL, or any other token on the Solana network via DEXs like Jupiter or Raydium. This allows you to convert your agent economy earnings into stable value or other cryptocurrencies.

Security

⚠️ IMPORTANT: Your config.json contains your wallet private key.

Never share config.json
Never commit it to git
Keep backups secure

Advanced: Providing APIs

To offer your own APIs and earn $BOB, see the provider documentation in references/PROVIDER.md.

Comments

Loading comments...