ClawHub

A2a Server

v0.1.0

基于 WebSocket 的多智能体 P2P 通信服务器,支持 Agent 注册、低延迟消息转发、RPC 调用、发布/订阅、能力发现及离线消息。

0· 93·0 current·0 all-time
by@yuyonghao-123
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
VirusTotalVirusTotal
Benign
View report →
OpenClawOpenClaw
Benign
high confidence
Purpose & Capability
Name/description (A2A WebSocket server) match the shipped code: src/server.js and src/client.js implement server/client behavior and tests/coverage are included. No unrelated credentials or binaries are requested.
Instruction Scope
SKILL.md instructs usual developer actions (git clone, npm install, node src/server.js) and how to connect clients and use RPC/pub-sub/discovery. It does not instruct reading unrelated system files or exfiltrating data to unexpected endpoints. It does note TODOs (trust chain, message signing) that are not yet implemented.
Install Mechanism
There is no automatic install spec for the skill; instructions expect you to run 'npm install' manually. That is normal, but npm will fetch third-party packages — inspect package.json / package-lock.json before running npm install to ensure dependencies are acceptable.
Credentials
The skill declares no required environment variables or credentials; SKILL.md lists optional runtime vars (A2A_PORT, A2A_HOST, A2A_VERBOSE). Nothing in the metadata asks for unrelated secrets.
Persistence & Privilege
Skill is not marked always:true and does not request elevated platform privileges. It's source is shipped as code files and will only run if you execute it (normal for a server/client library).
Assessment
This skill appears to be what it advertises (a WS-based agent server). Before running it: 1) review package.json and package-lock.json for and audit third-party dependencies; 2) read src/server.js and src/client.js to confirm there are no unexpected network callbacks or remote endpoints; 3) run tests in an isolated environment/container and avoid exposing the server publicly without adding authentication/TLS (SKILL.md shows auth/signing as TODOs); 4) if you plan to integrate with other agents, ensure you control agent IDs and message trust boundaries. If you want, paste the package.json or the server.js/client.js contents and I can highlight any risky code or suspicious dependencies.

Like a lobster shell, security has layers — review code before you run it.

latestvk977q2fxm483x7j32kba5073w983m53z

License

MIT-0
Free to use, modify, and redistribute. No attribution required.
Termshttps://spdx.org/licenses/MIT-0.html

Comments