A2a Server
v0.1.1基于 WebSocket 的多智能体 P2P 通信服务器,支持低延迟消息转发、RPC 调用、发布/订阅、能力发现及离线消息队列。
⭐ 0· 66·0 current·0 all-time
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
OpenClaw
Benign
medium confidencePurpose & Capability
Name/description (A2A WebSocket P2P server) match the included files (src/server.js, src/client.js, index.js) and examples. The code and docs provide RPC, pub/sub, discovery and offline queue features that align with the stated purpose.
Instruction Scope
SKILL.md instructs cloning and running npm install / npm start and demonstrates connecting clients; it does not instruct reading unrelated system files or exfiltrating secrets. Important security note: the README explicitly marks 'trust chain authorization' and 'message signing' as '待实现' (TODO), which implies the server currently lacks authentication/cryptographic protections — the docs show no guidance for securing or authenticating agents, so running an instance may accept unauthenticated peers.
Install Mechanism
No special install spec in the registry; SKILL.md suggests cloning repository and running 'npm install', which is a normal developer install path. All included files are present in the package manifest; there are no opaque external download URLs or extract-from-URL steps in the registry metadata.
Credentials
The skill declares no required environment variables or credentials. SKILL.md lists optional runtime vars (A2A_PORT, A2A_HOST, A2A_VERBOSE). That matches the expected needs for a local WebSocket server. However, absence of required credentials corresponds to missing authentication features in the implementation (documented as TODO).
Persistence & Privilege
Flags show always:false and normal autonomous invocation settings. The skill does not request persistent platform-wide privileges, nor does it declare config paths or attempt to modify other skills.
Assessment
This skill appears to implement the described WebSocket A2A server and client (source files are included), but before installing or running it you should: 1) Review src/server.js and src/client.js for how connections are authenticated and whether any unauthenticated commands are accepted — the README says trust-chain and message signing are TODO. 2) Do not expose the server to the public Internet without adding authentication, TLS/wss, and message-signing, and run it inside an isolated network or sandbox for testing. 3) Inspect package.json / package-lock.json to see which npm dependencies are pulled in and scan them for known vulnerabilities. 4) Prefer an upstream repository or published homepage (none is provided) so you can track updates and maintainers; ask the publisher for the canonical GitHub URL. 5) Run the test suite locally and audit logs/telemetry to ensure no unexpected external endpoints are contacted. Overall the package is coherent with its stated purpose but contains explicit TODOs for security features — treat it as prototype code, not production-ready infrastructure.Like a lobster shell, security has layers — review code before you run it.
a2avk97214mk0szdwb99rr8awc1k1h83wsqzlatestvk97dccs6tt1n55avt59y16682d83ze1xmessagingvk97214mk0szdwb99rr8awc1k1h83wsqzmulti-agentvk97214mk0szdwb99rr8awc1k1h83wsqzwebsocketvk97214mk0szdwb99rr8awc1k1h83wsqz
License
MIT-0
Free to use, modify, and redistribute. No attribution required.