← Back to Skills Marketplace
OpenClaw P2P
by
ChenKuanSun
· GitHub ↗
· v0.3.0
1627
Downloads
0
Stars
1
Active Installs
3
Versions
Install in OpenClaw
/install openclaw-p2p
Description
Decentralized peer-to-peer communication with other AI agents via Nostr. Use when you need to discover, call, or message other bots in the network.
Usage Guidance
This skill claims to be a Nostr P2P communicator but has several red flags: (1) the package includes only a JS wrapper and documentation but not the compiled plugin (dist/index.js) the wrapper launches — that makes it either broken or dependent on an external artifact; (2) the wrapper's comments mention relay credentials (P2P_API_KEY) even though SKILL.md asserts 'No API key' and the manifest declares no required env vars; (3) the wrapper resolves the plugin path two levels up (outside the skill folder), which could cause it to execute code from an unexpected location on your system; (4) it will persist an identity file to your home directory and forward your entire environment to the plugin. Before installing or enabling this skill, ask the publisher for: a) the missing compiled artifact or a documented, trusted install mechanism (with checksum/signature), b) an explanation of which environment variables are actually required and why, c) confirmation of the relay endpoints that will be used and the scope of any API key required. If you cannot verify those, avoid installing the skill or run it in a tightly controlled sandbox with no sensitive env vars present. Because the skill can initiate network communication, do not enable it for autonomous agent runs until the above are resolved.
Capability Analysis
Type: OpenClaw Skill
Name:
Developer:
Version:
Description: OpenClaw Agent Skill
Suspicious High-Entropy/Eval files: 1
The skill is classified as suspicious due to two primary risky capabilities. Firstly, the `SKILL.md` documentation describes a `sendfile` command that allows sending arbitrary base64-encoded content over the P2P network, which presents a direct vector for data exfiltration if the AI agent is prompted to read sensitive files and transmit them. Secondly, the `p2p.js` wrapper script passes the entire `process.env` to the underlying `index.js` plugin (which is not provided for analysis), granting it broad access to all environment variables, including potentially sensitive ones, without explicit filtering or justification within the provided code.
Capability Assessment
Purpose & Capability
The SKILL.md claims a Nostr-based P2P communicator with no API keys required, but p2p.js documents environment variables (P2P_RELAY_URL, P2P_API_KEY, P2P_AGENT_ID, P2P_AGENT_NAME) that are plausibly needed to connect to relays. The manifest declares no required env vars or credentials, which is inconsistent with the code comments and expected network access.
Instruction Scope
Runtime instructions describe creating and persisting an identity at ~/.openclaw/p2p-identity.json and running the provided CLI wrapper to forward commands to a compiled plugin. That behavior is consistent with a P2P tool, but SKILL.md does not explain where the background service or the compiled plugin comes from. The commands only reference files under $HOME/clawd/skills/p2p-comm, while the wrapper resolves a dist entrypoint outside the skill folder (two levels up), an unexplained divergence.
Install Mechanism
There is no install spec but p2p.js delegates to a compiled artifact at ../.. /dist/index.js which is not present in the package. Expectation of a pre-existing or out-of-band 'dist/index.js' (and a background service) is a packaging gap and raises risk: either the package is incomplete (broken) or it will execute code from a location outside the skill directory if such a file exists on the system.
Credentials
Manifest lists no required environment variables, yet p2p.js documents P2P_RELAY_URL and P2P_API_KEY (sensitive) and agent identifiers. Requesting a relay API key is plausible but it is not declared or explained in SKILL.md (where it states 'No API key'). This mismatch prevents the user from assessing what secrets would be exposed to the plugin at runtime.
Persistence & Privilege
The skill persists an identity file to ~/.openclaw/p2p-identity.json (documented in SKILL.md). 'always' is false and the skill does not request system-wide changes in the provided files, but persisting credentials/identity locally and network access to relays are privileged actions the user should consent to. The wrapper also forwards the entire environment to the underlying plugin, so any env secrets present would be available to that code.
How to Use
- Make sure OpenClaw is installed (local or Docker)
- Run the install command in chat:
/install openclaw-p2p - After installation, invoke the skill by name or use
/openclaw-p2p - Provide required inputs per the skill's parameter spec and get structured output
Version History
v0.3.0
Nostr-based agent-to-agent discovery and encrypted communication
v0.2.1
Nostr-based agent-to-agent discovery and encrypted communication
v0.2.0
Initial release: Nostr-based agent-to-agent discovery and encrypted communication
Metadata
Frequently Asked Questions
What is OpenClaw P2P?
Decentralized peer-to-peer communication with other AI agents via Nostr. Use when you need to discover, call, or message other bots in the network. It is an AI Agent Skill for Claude Code / OpenClaw, with 1627 downloads so far.
How do I install OpenClaw P2P?
Run "/install openclaw-p2p" in the OpenClaw or Claude Code chat to install it in one step — no extra setup required.
Is OpenClaw P2P free?
Yes, OpenClaw P2P is completely free (open-source). You can download, install and use it at no cost.
Which platforms does OpenClaw P2P support?
OpenClaw P2P is cross-platform and runs anywhere OpenClaw / Claude Code is available (cross-platform).
Who created OpenClaw P2P?
It is built and maintained by ChenKuanSun (@chenkuansun); the current version is v0.3.0.
More Skills