ClawHub
Skill flagged — suspicious patterns detected

ClawHub Security flagged this skill as suspicious. Review the scan results before using.

OCFT - OpenClaw File Transfer

P2P file transfer between AI agents via message channels. Supports chunked transfer, IPFS fallback for large files, and trusted peer management.

MIT-0 · Free to use, modify, and redistribute. No attribution required.
1 · 2.2k · 3 current installs · 3 all-time installs
by@stormixus
MIT-0
Security Scan
VirusTotalVirusTotal
Suspicious
View report →
OpenClawOpenClaw
Suspicious
medium confidence
!
Purpose & Capability
The stated purpose (P2P file transfer between agents) aligns with the CLI/API shown in SKILL.md (init, add-peer, sendFile, IPFS fallback). However the metadata declares no required config paths or credentials while the README/SKILL.md explicitly references a local config file (~/.ocft/config.json) that stores node secrets and trusted peers. That mismatch (declared nothing vs. instructions that create/store secrets) is an inconsistency worth flagging.
!
Instruction Scope
The SKILL.md instructs running the `ocft` CLI (e.g., `ocft init`, `ocft show-secret`, `ocft export`, `ocft sendFile`, referencing paths like /path/to/file.txt and ~/.ocft/config.json). Those operations necessarily read/write local files and secrets and can be used to send arbitrary files over message channels — which is the intended feature but also enables file exfiltration if misused. The instructions also include 'show-secret' and 'export', operations that surface secrets; the skill does not limit or warn about when/how those should be used.
!
Install Mechanism
No install spec is provided in the registry metadata, but the SKILL.md tells users to run `npm install -g ocft`. That delegates installation to a third-party npm package at runtime. Installing an external npm package globally downloads and executes code from the network and should be audited first; the instruction-only nature of the skill (no bundled code) plus a global npm install increases risk because the skill's operation depends on external code not audited here.
Credentials
The registry declares no required environment variables, which is consistent with the CLI-first design. The SKILL.md does provide commands to set IPFS provider keys and a Kubo URL (via `set-ipfs-key`, `set-kubo-url`) — these are relevant to the IPFS fallback feature but are not declared as required env or config in the metadata. The skill will store secrets in a local config file; that storage behavior is reasonable for a transfer tool but should be considered by users before adding secrets.
Persistence & Privilege
The skill is not set to always:true and does not request system-wide privileges in the metadata. It's instruction-only and does not request persistent platform-level enforcement. It will (per README) create a local config at ~/.ocft/config.json, which is expected for this functionality and is scoped to the user's home directory.
What to consider before installing
This skill is a coherent P2P file-transfer design, but exercise caution before installing or running it: - Audit the npm package first: the SKILL.md tells you to run `npm install -g ocft`, which will download and run third-party code. Inspect the package and its GitHub repo (commits, maintainers, recent activity) before installing. - Prefer installing/running the CLI in an isolated environment (container, VM) rather than installing globally on a production machine. - Be aware the tool creates and stores secrets and trusted-peer data at ~/.ocft/config.json and exposes commands like `show-secret` and `export` — treat those secrets like any API key and avoid sharing them with untrusted peers. - Understand the risk of file exfiltration: the skill is designed to send arbitrary files over chat channels. Only add trusted peers and verify URIs before importing peers. - If you plan to use IPFS fallback, verify provider credentials and limit keys scope; don't reuse high-privilege keys. If you want a safer install path, request the maintainer provide a pinned install spec (e.g., exact npm package version and checksum) or bundle audited code rather than only an instruction to install from npm.

Like a lobster shell, security has layers — review code before you run it.

Current versionv1.1.2
Download zip
latestvk974q879bz9jhbsd0y79gjgg3980htzw

License

MIT-0
Free to use, modify, and redistribute. No attribution required.
Termshttps://spdx.org/licenses/MIT-0.html

SKILL.md

OCFT - OpenClaw File Transfer Protocol

P2P file transfer between AI agents via message channels.

When to Use

Use this skill when:

  • Transferring files between AI agents over chat channels
  • Setting up peer-to-peer file sharing with trusted agents
  • Sending files through Telegram, Discord, Slack, or any text-based channel
  • Need chunked transfer with integrity verification
  • Transferring large files using IPFS fallback

Installation

npm install -g ocft

Quick Start

# Initialize your node (generates unique ID and secret)
ocft init

# View your status
ocft status

# Export your connection info to share with peers
ocft export

# Add a trusted peer
ocft add-peer <nodeId> <secret> --name "Friend"

# Or import from URI
ocft import ocft://eyJub2RlSWQ...

CLI Commands

Core Commands

CommandDescription
ocft initInitialize node with unique ID and secret
ocft statusShow node status and configuration
ocft show-secretDisplay full secret (careful!)
ocft exportExport connection info as URI
ocft import <uri>Import peer from ocft:// URI
ocft verify <secret>Verify if a secret matches yours

Peer Management

CommandDescription
ocft add-peer <id> <secret>Add a trusted peer
ocft remove-peer <id>Remove a trusted peer
ocft list-peersList all trusted peers
ocft extend-peer <nodeId> <hours>Extend a peer's trust expiry
ocft set-ttl <hours>Set default secret TTL (0 = no expiry)

Configuration

CommandDescription
ocft set-download <dir>Set download directory
ocft set-max-size <size>Set max file size (e.g., 100MB, 1GB)

IPFS Fallback (for large files)

CommandDescription
ocft ipfs-enableEnable IPFS fallback for large files
ocft ipfs-disableDisable IPFS fallback
ocft set-ipfs-provider <provider>Set provider: pinata, filebase, kubo
ocft set-ipfs-key <key>Set IPFS API key
ocft set-kubo-url <url>Set Kubo node API URL
ocft set-ipfs-threshold <size>Size threshold for IPFS (e.g., 50MB)
ocft set-ipfs-gateway <url>Set custom public IPFS gateway

Features

  • 🔗 Message-based: Transfer files through existing chat channels
  • 📦 Chunked transfer: Split large files into small pieces (48KB chunks)
  • Integrity verification: SHA-256 hash for chunks and files
  • 🤝 Request/Accept: Explicit acceptance or auto-accept policy
  • 🔒 Security: Trusted peer whitelist with secrets
  • Secret TTL: Set expiry time for trust relationships
  • 🔄 Resume: Resume interrupted transfers from last chunk
  • 🌐 IPFS Fallback: Use IPFS for files exceeding chunk threshold

Protocol

OCFT messages use a 🔗OCFT: prefix with Base64-encoded JSON, allowing file transfers over any text-based channel.

Limitations

  • Chunk size: 48KB (safe for Base64 in messages)
  • Default max file size: 100MB (configurable via set-max-size)
  • Designed for text-based channels
  • IPFS fallback requires provider setup (Pinata, Filebase, or local Kubo)

Links

Files

3 total
Select a file
Select a file to preview.

Comments

Loading comments…