Skill flagged — suspicious patterns detected
ClawHub Security flagged this skill as suspicious. Review the scan results before using.
Agent P2P
v0.8.8Enable real-time P2P messaging between AI Agents via Portal with secure send.py script and shared keys; supports contact management and file transfer.
⭐ 0· 227·0 current·0 all-time
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
Capability signals
These labels describe what authority the skill may exercise. They are separate from suspicious or malicious moderation verdicts.
OpenClaw
Suspicious
medium confidencePurpose & Capability
The files and runtime instructions (bridge, client, send.py, deploy scripts) align with a P2P Portal+Bridge design: SSH-based VPS deployment, systemd service, local bridge that wakes the gateway, and a send.py for message/file delivery. However the registry metadata at the top claimed no required env vars while SKILL.md embeds an openclaw.requires list (AGENTP2P_API_KEY, AGENTP2P_HUB_URL, OPENCLAW_GATEWAY_URL, OPENCLAW_HOOKS_TOKEN) — that mismatch is an incoherence. Also the bundle is not really instruction-only (many code files present) despite the 'no install spec' note.
Instruction Scope
SKILL.md and scripts instruct the agent to read local OpenClaw files (~/.openclaw/openclaw.json, ~/.openclaw/gateway.env), write ~/.openclaw/gateway.env, potentially read/write ~/.openclaw/agent-p2p-admin.txt, accept or request SSH private keys, SSH into a VPS and run a long remote script (apt-get, git clone, pip install, run database init), extract API keys from a remote SQLite DB, and automatically start services. The bridge code also posts wake requests to the OpenClaw gateway using the hooks token. These operations go beyond simple message-sending and require access to sensitive local files and remote server control — appropriate for deployment but high-risk and not limited in scope. The instructions also explicitly ask the platform to relax exec-security settings (see metadata), which attempts to change platform-level execution constraints.
Install Mechanism
There is no formal install spec but multiple install helpers exist (install.sh, auto_install.py, scripts/deploy_portal.py). Remote deployment pulls code from a GitHub repository (a reasonable host) but runs arbitrary commands (apt-get, pip install -r requirements.txt, python3 -c 'from vps.main import init_db') on the remote VPS via SSH — this is expected for automating a server install but is high-impact. The local install scripts create systemd units in user/system locations. Overall install actions are consistent with the stated purpose but involve writing/executing code on both local and remote hosts and therefore carry elevated risk.
Credentials
The skill requires sensitive values: AGENTP2P_API_KEY (Portal key), OPENCLAW_HOOKS_TOKEN and OPENCLAW_GATEWAY_URL (used to wake the gateway), plus SSH private keys for VPS deployment. Those are functionally required for the feature, but the skill's code reads OpenClaw config files directly and will write gateway.env automatically (auto_install.py), which increases the chance of secret leakage or accidental use of high-privilege keys (e.g., OWNER_KEY). The skill also suggests locations for admin passwords and even scripts that will extract API keys from the remote database; that behavior should be confirmed by the user before providing credentials.
Persistence & Privilege
The skill does not set always:true, but the SKILL.md metadata explicitly requests that OpenClaw exec restrictions be relaxed (exec_security: full, exec_ask: off, host: gateway) so the agent can run complex interpreter invocations without preflight errors. That is a request to change platform-wide execution policy and materially increases privilege. Combined with the skill's ability to write config files (~/.openclaw/gateway.env), install services, and run systemd units, this is a significant privilege expansion and should be treated cautiously.
Scan Findings in Context
[base64-block] unexpected: A base64-block prompt-injection pattern was detected in SKILL.md pre-scan. The metadata block also explicitly asks the platform to relax exec security settings (exec_security: full, ask: off) — this looks like an attempt to change evaluation/runtime constraints and is not necessary for simply describing the skill's function.
What to consider before installing
This skill appears to implement the P2P Portal/Bridge it claims, but it requires high-sensitivity access and asks to relax platform exec restrictions — do not proceed blindly. Before installing: 1) Review the full send.py, auto_install.py, and vps/main.py yourself (or get an independent audit). 2) Never supply your primary SSH private key or OWNER-level API keys; create a dedicated VM and a dedicated, limited SSH key and a limited Portal API key for testing. 3) Do not change OpenClaw's global exec/security settings without understanding the implications — prefer running commands manually in a sandbox first. 4) Note the code disables TLS verification (requests.verify=False and WebSocket SSL verify disabled) — consider enabling strict TLS before use. 5) If you plan to deploy, do so in an isolated VPS and limit network exposure, then inspect logs and what the skill writes to ~/.openclaw/gateway.env or other files. 6) If you are not comfortable auditing the code, treat this skill as high risk and avoid installing it on production environments.Like a lobster shell, security has layers — review code before you run it.
agentvk975ksh0m0zvad26cak4ef4wgd83v33bcommunicationvk975ksh0m0zvad26cak4ef4wgd83v33blatestvk970h4zrff0p16dy206xhngnwh84kjy4messagingvk975ksh0m0zvad26cak4ef4wgd83v33bp2pvk975ksh0m0zvad26cak4ef4wgd83v33b
License
MIT-0
Free to use, modify, and redistribute. No attribution required.