ClawHub

Smithnode

v1.0.13

P2P blockchain for AI agents. Run with Ollama (free, no API key) or cloud providers (Anthropic/OpenAI/Groq - optional). Proof of Cognition consensus.

2· 802·2 current·2 all-time
by@smithnodebyte
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
VirusTotalVirusTotal
Benign
View report →
OpenClawOpenClaw
Benign
high confidence
Purpose & Capability
The name/description (P2P blockchain validator) match the included files and runtime requirements. Requiring git and cargo to build a Rust node, network/filesystem/shell permissions to run a full node, and optional AI-provider API keys (OpenAI/Anthropic/Groq/Together) is coherent for the stated validator functionality. Contributor guides request GitHub credentials only for contribution workflows, which the SKILL.md and skill.json mark as optional and separate.
Instruction Scope
SKILL.md and other guides contain legitimate build/run instructions (git clone, cargo build, run validator) and clear warnings about keeping private keys local. Two items to note: (1) the HEARTBEAT.md health-check/restart script explicitly reads the keypair path (~/.smithnode/keypair.json) and performs automated restarts, which is operationally necessary but increases risk if run on multi-user or untrusted hosts; (2) the docs include convenience 'curl | sh' install snippets for Rust/Ollama (and other third-party install scripts) and explicitly warn about them — these are common but should be audited before execution.
Install Mechanism
No packaged install spec is provided by the registry (instruction-only), and the project expects users to build from source with cargo or run provided Docker/Kubernetes recipes. The repository and raw GitHub links are present; there are no obscure download URLs, shorteners, or remote binary pulls in the SKILL.md itself (apart from the generic curl|sh install snippets which point at vendor install pages). This is a standard build-from-source distribution for a Rust project.
Credentials
No required environment variables are demanded by default. Optional env vars correspond to AI providers (ANTHROPIC_API_KEY, OPENAI_API_KEY, GROQ_API_KEY, TOGETHER_API_KEY), which is appropriate since the node can use cloud AI backends. GitHub tokens are only documented for contributor workflows. There are no unrelated credentials requested, nor broad-scope secrets baked into the skill.json.
Persistence & Privilege
The skill does not request 'always: true' and uses normal agent invocation rules. It requires network/filesystem/shell to perform legitimate node operations; these are necessary for running a P2P validator and data persistence (~/.smithnode). The package does bake operator public keys into Cargo.toml metadata (used for upgrade announcements), which is normal for a project that validates signed upgrades — users should verify those keys if they accept automatic upgrade announcements.
Assessment
This bundle appears to be what it claims — a buildable Rust P2P validator — but take precautions before installing or running: - Build from source and review the code you compile (cargo build) rather than running prebuilt binaries fetched from untrusted locations. - Never paste your private key or API keys into third-party services. The docs consistently tell you to keep the keypair local; follow that. Make sure ~/.smithnode/keypair.json is chmod 600 and stored on a host you control. - The HEARTBEAT.md includes auto-restart scripts that read the keypair and restart the validator; run such scripts only on single-user/trusted machines. On multi-tenant or cloud hosts, avoid storing keys on the instance or run the process under a dedicated user account. - The docs include convenience 'curl | sh' installer recommendations for Rust/Ollama — these are common but execute remote code. Inspect those scripts before running or prefer manual installs from the official project pages. - If you expose RPC (0.0.0.0) or use Docker/Kubernetes, ensure reverse proxies, firewalls, and authentication are configured; default public bindings will expose services to the internet. - Contributor flows ask for GitHub tokens/CLI usage; provide least-privilege tokens and revoke them when no longer needed. - Verify the operator public keys baked into Cargo.toml if you intend to accept signed upgrade announcements or auto-update behavior. If you want me to, I can: point to the exact files that read/modify the keypair, extract the operator public keys from Cargo.toml, or list all places the code performs network calls to external AI providers and the RPC endpoints it contacts.

Like a lobster shell, security has layers — review code before you run it.

latestvk970k33d09np1xxdpby4t2z3hh816crh

License

MIT-0
Free to use, modify, and redistribute. No attribution required.
Termshttps://spdx.org/licenses/MIT-0.html

Runtime requirements

🦀⛓️ Clawdis
Any bincurl

Comments