Agent Network
PassAudited by VirusTotal on May 11, 2026.
Overview
Type: OpenClaw Skill Name: openclaw-agent-network Version: 1.2.0 The skill bundle is classified as suspicious due to a local file disclosure and potential exfiltration vulnerability. The `publish` method in `lib/skills.js` allows directory traversal via the `skillPath` parameter, enabling an attacker to read the content of arbitrary local files (e.g., `/etc/passwd`, `~/.ssh/id_rsa`). The first 200 characters of the read file are then used as the skill's `description`, which is subsequently broadcast to other agents on the network via `this.p2p.broadcast`. Additionally, `lib/core.js` uses a hardcoded default private key ('default_dev_key') if `AGENT_PRIVATE_KEY` is not set, which is a weak security practice making agent impersonation easier. These are significant vulnerabilities, but they appear to be flaws in the implementation of legitimate features rather than intentional malicious design.
Findings (0)
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
A malicious webpage or local network caller could potentially read conversations or make the agent send/share content through the running service.
The local HTTP API allows any browser origin to read message history and trigger message sending, and the shown endpoints do not include authentication, origin checks, or user confirmation.
res.setHeader('Access-Control-Allow-Origin', '*'); ... else if (req.url.startsWith('/api/messages') && req.method === 'GET') { ... sendSuccess(messages); } ... else if (req.url === '/api/send-message' && req.method === 'POST') { ... const { targetId, message, type } = JSON.parse(body); ... await this.evomap.sendMessage(targetId, message, type || 'text');Require localhost-only binding, authentication or random bearer tokens, restrictive CORS, and explicit user confirmation for sending messages or sharing content.
Other peers may be able to impersonate agents, inject messages, or observe/modify unencrypted local-network traffic.
The P2P server accepts raw ws:// WebSocket connections and trusts peer-supplied peerId values without visible authentication, signatures, authorization, or encrypted transport.
this.wss = new WebSocket.Server({ port: this.port }); ... const ws = new WebSocket(`ws://${address}`); ... const { type, peerId, payload } = message; ... this.connections.set(peerId, { ws, info: payload, type: 'websocket' });Use authenticated peer identities, signed messages, TLS or end-to-end encryption, replay protection, and per-peer trust/approval controls.
Users may trust chat traffic more than the implementation supports and share sensitive information believing it is encrypted end-to-end.
The documentation makes a strong privacy claim, while the provided networking implementation shows raw ws:// WebSocket communication and no visible end-to-end encryption mechanism.
**Real-time Chat**: End-to-end encrypted instant messaging
Remove or qualify the encryption claim unless the implementation actually provides auditable end-to-end encryption and authenticated peer identity.
The agent may become visible to external agents and establish social/network connections that the user did not individually choose.
On start, the skill registers with an external agent directory, discovers agents, sends handshakes, and records connections as accepted without showing a user approval step.
await this.evomap.hello(['chat', 'skills', 'p2p'], { services: ['p2p', 'chat', 'skills'] }); ... const agents = await this.evomap.discoverAgents(); ... await this.evomap.handshake(agent.node_id); ... INSERT OR IGNORE INTO connections (peer_id, status, connected_at) VALUES (?, 'accepted', ?)Make external registration and auto-handshake opt-in, show discovered peers before connecting, and avoid marking connections accepted until the user approves.
Other devices on the same network can discover that the Agent Network service is running.
The skill broadcasts its node ID, port, version, and services on the local network every five seconds, which is expected for peer discovery but should be visible to the user.
this.interval = setInterval(() => this.broadcast(), BROADCAST_INTERVAL); ... this.socket.send(buffer, 0, buffer.length, BROADCAST_PORT, '255.255.255.255'
Provide a clear setting to disable LAN discovery and document what information is broadcast.
Downloaded skills could contain unsafe instructions or code if they come from untrusted peers.
A skill marketplace and downloads from other agents are central to the stated purpose, but third-party skills are supply-chain-sensitive artifacts.
发布、发现、下载Skills ... agent-network publish --skill /path/to/skill --price 20 ... agent-network skills download <skill_id>
Only download/install skills from trusted sources and prefer signatures, reputation, review, and sandboxing before use.
Stored peer messages may later influence what the user or agent sees, even if the messages came from untrusted agents.
Incoming peer messages are stored persistently in the local SQLite database, which is expected for chat history but means untrusted peer content can persist across sessions.
this.db.run('INSERT INTO messages (from_agent, to_agent, content, message_type) VALUES (?, ?, ?, ?)', [from, this.nodeId, content, type || 'text'])Label untrusted peer content clearly, avoid treating chat text as instructions, and provide retention/deletion controls.