ClawHub

Vinculum - Shared Consciousness

v1.2.0

Shared consciousness between Clawdbot instances. Links multiple bots into a collective, sharing memories, activities, and decisions in real-time over local network using Gun.js P2P sync.

5· 2.4k·6 current·6 all-time
by@koba42corp
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
VirusTotalVirusTotal
Benign
View report →
OpenClawOpenClaw
Suspicious
medium confidence
Purpose & Capability
Functionality and required code (Gun.js, relay, peer discovery, config files) match the declared purpose of providing a P2P shared-sync relay for Clawdbot instances. However, registry metadata claims 'no required binaries / no install spec' while SKILL.md and package.json require Node.js (>=18) and npm and include an npm-based install step — this mismatch between registry metadata and the skill's documentation/files is inconsistent and could lead to surprises during install.
!
Instruction Scope
Runtime instructions and commands legitimately manage relay, join/init networks, and read/write config and data under the user's home directory. But the skill starts a background HTTP relay (listening by default on port 8765) and accepts configurable peer URLs; adding arbitrary peer URLs allows the node to connect to external endpoints which could receive replicated data. SKILL.md claims 'local network only' and 'credentials never linked', but the code permits connecting to any http(s) peer the user configures and pairing codes grant read/write access. Also the CLI uses OS and ENV (hostname, USER) for identity. These behaviors are coherent with a P2P sync tool but materially expand what network traffic and data sharing the agent will perform — the user must explicitly approve peers and pairing codes.
Install Mechanism
Install consists of running npm install --production in the skill directory (package.json + package-lock.json present). That uses public npm packages (gun, ws, yaml) — a standard but moderate-risk install source. There is no direct download from arbitrary URLs. However, the registry metadata did not include a formal install spec while SKILL.md provides one; this packaging mismatch is inconvenient and could lead to the skill being used without its dependencies installed.
Credentials
The skill does not request API keys or extra credentials. It reads/writes config and data under the user's home directory (e.g., ~/.config/clawdbot/vinculum.yaml, ~/.local/share/clawdbot/vinculum) and uses common environment variables (HOME, optional CLAWDBOT_DATA_DIR, USER). Those are proportional to its function as a local sync service. No unexpected secret-env (TOKENS/KEYS) are required by the package metadata.
Persistence & Privilege
The skill does not request always:true and is user-invocable. It will install node modules and spawn a background relay process that writes PID, logs, and persistent Gun data under user-owned directories. That persistence is consistent with a relay/service but means the skill will have continuous network presence while the relay is running — expect firewall exposure on the configured port.
What to consider before installing
Key things to consider before installing: - Metadata mismatch: the registry lists no required binaries/install spec, but SKILL.md and package.json require Node.js (>=18) and npm and instruct you to run npm install. Ensure Node/npm are present and that you run installation in a controlled environment. - Network exposure: the skill launches a relay server (default port 8765) and will accept peer URLs you configure. If you add a remote peer that is reachable on the internet or an untrusted host, your shared-memory data (activity, learned knowledge, decisions) can be replicated to that host. Only join collectives and add peers you trust. - Pairing codes: invite/pairing codes grant read/write access to the collective. Treat them like secrets — anyone with a code can modify the shared state. - Data persistence: the skill stores data and logs under your home directory (~/.local/... and ~/.config/...). If you want to limit persistence, inspect the data_dir and storage locations in defaults.yaml and consider running the skill in a sandbox, container, or VM. - Review missing/truncated files: some implementation files were truncated in the provided package; if you plan to use this, review relay-simple.js and the gun-adapter implementation fully to confirm no unexpected network calls or remote endpoints are hardcoded. - Safe deployment recommendations: run initial testing on an isolated machine or inside a container, ensure your firewall blocks unwanted external access to the relay port, and only generate/share pairing codes with machines/users you control. If you want, I can: - Walk through the relay script and gun-adapter for code-level review of networking and persistence behavior (the repo listing included truncated files that I can inspect if you provide them), or - Produce a checklist to sandbox this skill safely before enabling it in a production agent.

Like a lobster shell, security has layers — review code before you run it.

latestvk979b9jm770p9nn3hkwxbyh9bn804yk4

License

MIT-0
Free to use, modify, and redistribute. No attribution required.
Termshttps://spdx.org/licenses/MIT-0.html

Runtime requirements

🔗 Clawdis
Binsnode, npm

Comments