osm-p2p-hybrid

The skill's code, dependencies, and runtime behavior match its P2P/nostr+UDP description — it appears to do what it says, but it persists keys, announces local IPs, and writes message audit logs which have privacy/security implications you should be aware of.

This skill appears to implement a legitimate hybrid UDP+Nostr P2P client, but it does create persistent local state and network exposure you should accept consciously. Before installing, consider: 1) The skill will generate and store a Nostr private key in ~/.osm-p2p/identity.json (base64). Treat that file like a secret — protect it, or change dataDir to an isolated location. 2) The app publishes node announcements (including local IPs and ports) to public Nostr relays and via UDP broadcasts; this can reveal your LAN/VPN addresses and service ports. 3) Audit logs record message payloads (truncated) to disk; if you handle sensitive text, disable or relocate logging. 4) Relays used are hard-coded defaults — you can and should configure trusted relays if you plan to use it. 5) Run in a sandbox or test machine if you want to inspect behavior first (network monitoring, check created files, review identity.json and audit.log). If you want, I can point to the exact lines that write keys/logs and show how to change the dataDir, disable audit logging, or avoid announcing addresses.