OmniWire
WarnAudited by ClawScan on May 10, 2026.
Overview
OmniWire is openly described as a powerful infrastructure controller, but it gives an agent broad server, credential, inter-agent, and persistent-memory authority through unreviewed npm code with limited scoping details.
Only install OmniWire if you intentionally want an AI agent to administer your servers. Before use, review and pin the npm package, avoid root SSH keys, connect only non-production or tightly scoped hosts, require explicit approval for privileged commands, keep event ports private, and disable persistent memory/config sync unless you have defined safe storage and cleanup rules.
Findings (6)
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
A mistaken, hijacked, or overly broad agent action could restart services, change files, deploy containers, or run damaging commands across multiple servers.
The skill explicitly gives the agent arbitrary remote execution and background-job capability across mesh nodes. The artifacts do not describe command allowlists, per-node constraints, rollback, or mandatory user confirmation for high-impact operations.
| **Execution** | 6 | Run commands, scripts, pipelines, background jobs on any node |
Use only with tightly scoped nodes and commands, require explicit approval for every privileged action, prefer non-root accounts, and test in an isolated environment before connecting production systems.
If the agent or package behaves incorrectly, it could use the user’s SSH authority to make privileged changes on connected systems.
The setup directs the agent to collect SSH identity information and even suggests root as the usual user, granting very high delegated privilege over remote machines.
- SSH user (usually `root`)\n- SSH key filename in ~/.ssh/ (e.g., `id_ed25519`)
Do not use root keys by default. Create dedicated least-privilege SSH users, restrict sudo, limit keys to specific hosts, and rotate credentials if testing the skill.
The code installed today may differ from the code installed later, and users cannot verify from the submitted artifacts what will run with their infrastructure access.
The install mechanism fetches an unpinned latest npm package as the runnable implementation, while the submitted artifacts contain no code files to inspect. This provenance gap matters because the package is intended to control servers and credentials.
node | package: omniwire@latest | creates binaries: omniwire, ow
Pin an exact package version or checksum, review the source before installing, avoid automatic global installs, and only grant infrastructure credentials after verifying the package.
Messages or events between agents could carry commands or sensitive data, and weak boundaries could let the wrong peer influence the mesh.
The skill advertises A2A messaging and event-bus transports, but the visible artifacts do not specify authentication, origin validation, permissions, or network exposure controls.
| **Agentic / A2A** | 13 | Agent tasks, messaging, blackboard, workflows, semaphores, registries |\n| **Events** | 1 | Webhook + WebSocket + SSE event bus |
Do not expose the REST/SSE/WebSocket ports publicly. Require authentication, TLS, firewall rules, and explicit identity checks for every peer or agent.
Sensitive configuration or misleading stored knowledge could be reused across agents or future tasks, causing leakage or bad automated decisions.
The skill includes persistent shared memory and bi-directional configuration sync, but the artifacts do not define what is synced, how secrets are excluded, how long data is retained, or how poisoned content is prevented from influencing later tasks.
| **CyberSync** | 9 | Bi-directional config sync for 6 AI tools + knowledge/memory |\n| **Knowledge** | 2 | Store and search unified knowledge base (pgvector) |
Disable CyberSync unless needed, exclude secrets and private files, restrict database access, review stored knowledge regularly, and define retention and deletion procedures.
A user may approve installation without fully considering that the package will later receive server credentials and broad operational control.
This wording nudges the agent to execute the global install and frames the user’s role as merely approving, which reduces careful review of a high-impact package.
> **AGENT: Run this via exec. User just clicks Approve.**
Treat the install as a high-risk administrative action: review the package, pin the version, understand the requested access, and approve each setup step deliberately.