← Back to Skills Marketplace
2547
Downloads
1
Stars
3
Active Installs
5
Versions
Install in OpenClaw
/install ocft
Description
P2P file transfer between AI agents via message channels. Supports chunked transfer, IPFS fallback for large files, and trusted peer management.
Usage Guidance
This skill is a coherent P2P file-transfer design, but exercise caution before installing or running it:
- Audit the npm package first: the SKILL.md tells you to run `npm install -g ocft`, which will download and run third-party code. Inspect the package and its GitHub repo (commits, maintainers, recent activity) before installing.
- Prefer installing/running the CLI in an isolated environment (container, VM) rather than installing globally on a production machine.
- Be aware the tool creates and stores secrets and trusted-peer data at ~/.ocft/config.json and exposes commands like `show-secret` and `export` — treat those secrets like any API key and avoid sharing them with untrusted peers.
- Understand the risk of file exfiltration: the skill is designed to send arbitrary files over chat channels. Only add trusted peers and verify URIs before importing peers.
- If you plan to use IPFS fallback, verify provider credentials and limit keys scope; don't reuse high-privilege keys.
If you want a safer install path, request the maintainer provide a pinned install spec (e.g., exact npm package version and checksum) or bundle audited code rather than only an instruction to install from npm.
Capability Analysis
Type: OpenClaw Skill
Name: ocft
Version: 1.1.2
This skill is classified as suspicious due to its inherent handling of sensitive information (node secrets, IPFS API keys) and its extensive file system and network access, which, while plausible for its stated purpose of P2P file transfer, introduces significant risk. Specifically, commands like `ocft show-secret` and `ocft set-ipfs-key` (documented in SKILL.md) directly manage credentials, and the skill stores configuration including secrets in `~/.ocft/config.json` (mentioned in README.md). The reliance on an external `npm` package (`npm install -g ocft`) also presents a supply chain risk.
Capability Assessment
Purpose & Capability
The stated purpose (P2P file transfer between agents) aligns with the CLI/API shown in SKILL.md (init, add-peer, sendFile, IPFS fallback). However the metadata declares no required config paths or credentials while the README/SKILL.md explicitly references a local config file (~/.ocft/config.json) that stores node secrets and trusted peers. That mismatch (declared nothing vs. instructions that create/store secrets) is an inconsistency worth flagging.
Instruction Scope
The SKILL.md instructs running the `ocft` CLI (e.g., `ocft init`, `ocft show-secret`, `ocft export`, `ocft sendFile`, referencing paths like /path/to/file.txt and ~/.ocft/config.json). Those operations necessarily read/write local files and secrets and can be used to send arbitrary files over message channels — which is the intended feature but also enables file exfiltration if misused. The instructions also include 'show-secret' and 'export', operations that surface secrets; the skill does not limit or warn about when/how those should be used.
Install Mechanism
No install spec is provided in the registry metadata, but the SKILL.md tells users to run `npm install -g ocft`. That delegates installation to a third-party npm package at runtime. Installing an external npm package globally downloads and executes code from the network and should be audited first; the instruction-only nature of the skill (no bundled code) plus a global npm install increases risk because the skill's operation depends on external code not audited here.
Credentials
The registry declares no required environment variables, which is consistent with the CLI-first design. The SKILL.md does provide commands to set IPFS provider keys and a Kubo URL (via `set-ipfs-key`, `set-kubo-url`) — these are relevant to the IPFS fallback feature but are not declared as required env or config in the metadata. The skill will store secrets in a local config file; that storage behavior is reasonable for a transfer tool but should be considered by users before adding secrets.
Persistence & Privilege
The skill is not set to always:true and does not request system-wide privileges in the metadata. It's instruction-only and does not request persistent platform-level enforcement. It will (per README) create a local config at ~/.ocft/config.json, which is expected for this functionality and is scoped to the user's home directory.
How to Use
- Make sure OpenClaw is installed (local or Docker)
- Run the install command in chat:
/install ocft - After installation, invoke the skill by name or use
/ocft - Provide required inputs per the skill's parameter spec and get structured output
Version History
v1.1.2
- Added support for IPFS fallback, allowing large files to be transferred using IPFS when they exceed a configurable threshold.
- Expanded CLI commands for trusted peer management and IPFS configuration.
- New commands include peer trust expiration (`set-ttl`, `extend-peer`), secret verification, and IPFS provider setup.
- Updated SKILL.md with detailed usage instructions and feature list.
- Added .clawhub/origin.json to the project.
v1.0.3
- Added a concise YAML metadata header with name, description, and homepage to SKILL.md.
- No functional or feature changes; documentation only.
v1.0.2
- Added support for configurable maximum file size via the new ocft set-max-size command.
- Updated documentation to highlight the new max file size feature and CLI command.
- Clarified that the default 100MB file size limit can now be changed by the user.
v1.0.1
- Added links to the project's GitHub and npm pages in the documentation.
- No code changes; documentation update only.
v1.0.0
Initial release of OCFT - OpenClaw File Transfer Protocol
- Enables peer-to-peer file transfer between AI agents over text-based chat channels (e.g., Telegram, Discord, Slack).
- CLI tools to manage nodes, secrets, and trusted peers.
- Chunked file transfer with 48KB pieces and SHA-256 integrity verification.
- Supports explicit or automatic file transfer acceptance, whitelisting peers with expiring secrets.
- Allows transfer resumption and secure peer management.
- File transfer messages use a standardized, easily shareable format for channel-based communication.
Metadata
Frequently Asked Questions
What is OCFT - OpenClaw File Transfer?
P2P file transfer between AI agents via message channels. Supports chunked transfer, IPFS fallback for large files, and trusted peer management. It is an AI Agent Skill for Claude Code / OpenClaw, with 2547 downloads so far.
How do I install OCFT - OpenClaw File Transfer?
Run "/install ocft" in the OpenClaw or Claude Code chat to install it in one step — no extra setup required.
Is OCFT - OpenClaw File Transfer free?
Yes, OCFT - OpenClaw File Transfer is completely free (open-source). You can download, install and use it at no cost.
Which platforms does OCFT - OpenClaw File Transfer support?
OCFT - OpenClaw File Transfer is cross-platform and runs anywhere OpenClaw / Claude Code is available (cross-platform).
Who created OCFT - OpenClaw File Transfer?
It is built and maintained by stormixus (@stormixus); the current version is v1.1.2.
More Skills