← Back to Skills Marketplace

synapse

Name: synapse
Author: pendzoncymisio

by Pendzoncymisio · GitHub ↗ · v0.2.0

cross-platform ⚠ suspicious

1775

Downloads

Stars

Active Installs

Versions

Install in OpenClaw

/install synapse

Description

Agent-to-agent P2P file sharing with semantic search using BitTorrent and vector embeddings

Usage Guidance

Key things to consider before installing or running this skill: - Review code locally first: the package contains Python code that will run on your machine; scan the logic.py/assimilation/identity modules to ensure they do what you expect. - Do not run the curl | sh install line (astral.sh) without inspecting it; prefer installing 'uv' from a trusted package source or manually managing a virtualenv. - Treat 'create_memory_shard' as an explicit data-export capability: do not point it at any local vector DBs or memory files that contain sensitive or private information unless you intend to share them. - Keep auto_assimilate disabled and never use the skip-safety option in production; assimilation has guardrails but the skill exposes a bypass. - The embedder sets trust_remote_code=True when loading models — this can execute arbitrary code fetched with the model. If you must use the skill, avoid loading untrusted model repositories or remove trust_remote_code usage. - Expect large network and disk activity (downloading models, libtorrent, CUDA packages); run inside an isolated environment or container to limit blast radius. - The skill reads ~/.openclaw/openclaw.json (OpenClaw config). If that file contains secrets or tokens, consider isolating or auditing before use. - If you plan to join public trackers (e.g., hivebraintracker.com) or use the default tracker, verify the tracker endpoint and privacy implications; the tracker may collect metadata about what you share/search. If you want, I can: (1) point out exact lines/functions that perform each risky action, (2) produce a minimal checklist for a safe test-run (isolated container, network off, no OAuth tokens present), or (3) suggest precise code edits to remove trust_remote_code and the skip-safety bypass.

Capability Analysis

Type: OpenClaw Skill Name: Developer: Version: Description: OpenClaw Agent Skill Suspicious High-Entropy/Eval files: 4 The skill is classified as suspicious due to its inherent P2P file-sharing nature, which involves downloading arbitrary files from external sources. While the `src/assimilation.py` module implements robust safety checks against prompt injection, data exfiltration, and code execution, the `download_memory_shard` tool in `skill.json` does not directly integrate these checks into the download process, leaving a potential gap where an agent could download unverified content. Additionally, the skill makes external network calls to a hardcoded tracker domain (`http://hivebraintracker.com:8080`) for search and registration, and the `SKILL.md` instructs users to execute `curl -LsSf https://astral.sh/uv/install.sh | sh` for dependency installation, both of which introduce supply chain risks.

Capability Assessment

ℹ Purpose & Capability

The name/description match the provided Python code: BitTorrent engine, embedding generation, tracker integration, seeder daemon and 'create/assimilate' memory shard flows are all consistent with a P2P semantic sharing tool. However, the skill exposes tools that read arbitrary local DB paths (create_memory_shard) and will load/save config under ~/.openclaw — capabilities that are appropriate for a memory-sharing skill but also permit exporting sensitive local vector DBs or reading agent config. The presence of code that reads OpenClaw configuration (get_openclaw_config / get_skill_env_vars) is plausible for integration but should be considered sensitive because it can surface other configured secrets.

⚠ Instruction Scope

SKILL.md instructs installing 'uv' via a curl | sh one-liner and repeatedly instructs running 'uv run python client.py' (which will auto-install dependencies and model files on first run). The skill.json handlers execute python3 logic.py on user-supplied file paths (e.g., --source_db, --shard_path, --target_db), which gives the skill direct ability to read arbitrary files provided by the caller. The assimilation tool exposes a --skip-safety-check option (handler maps to --skip-safety) which can bypass local guardrails. The SKILL.md also references reading logs and config under ~/.openclaw. These instructions give broad discretion to read, transform, and transmit local data and to bypass safety checks — more than a simple 'search/download' helper would normally need.

⚠ Install Mechanism

There is no formal install spec; SKILL.md recommends installing 'uv' with curl -LsSf https://astral.sh/uv/install.sh | sh (remote shell install). The project relies on auto-install of many heavy Python dependencies (libtorrent, sentence-transformers, torch, CUDA bundles, optimum/onnx-related packages) when run under 'uv'. Auto-downloading and converting models (including trust_remote_code=True) and installing large GPU packages are supply-chain and resource-heavy operations; the remote install line increases risk.

⚠ Credentials

The skill.json declares no required env vars, but the code reads and writes config under ~/.openclaw (get_openclaw_config, save_config) and exposes get_skill_env_vars which extracts env entries from OpenClaw's configuration. That can expose other skill settings or secrets stored in OpenClaw config. The create_memory_shard tool explicitly asks for a path to the agent's vector DB (source_db) — a legitimate feature but one that can be used to exfiltrate sensitive agent memory. The presence of a skip-safety option further reduces protections.

ℹ Persistence & Privilege

The skill does not request always:true and is user-invocable. It does read/write files under the user's home (~/.openclaw/*) and will save its own config there by default; that is expected for a node daemon but does create persistent artifacts on disk. It does not appear to directly modify other skills' code, though it can read shared OpenClaw config which is a broader privilege than a purely local CLI would need.

How to Use

Make sure OpenClaw is installed (local or Docker)
Run the install command in chat: /install synapse
After installation, invoke the skill by name or use /synapse
Provide required inputs per the skill's parameter spec and get structured output

Version History

v0.2.0

File signature fix

v0.1.1

Repo link fix

v0.1.0

Initial ClawHub release

Metadata

Slug synapse

Version 0.2.0

License —

All-time Installs 1

Active Installs 1

Total Versions 3

Frequently Asked Questions

What is synapse?

Agent-to-agent P2P file sharing with semantic search using BitTorrent and vector embeddings. It is an AI Agent Skill for Claude Code / OpenClaw, with 1775 downloads so far.

How do I install synapse?

Run "/install synapse" in the OpenClaw or Claude Code chat to install it in one step — no extra setup required.

Is synapse free?

Yes, synapse is completely free (open-source). You can download, install and use it at no cost.

Which platforms does synapse support?

synapse is cross-platform and runs anywhere OpenClaw / Claude Code is available (cross-platform).

Who created synapse?

It is built and maintained by Pendzoncymisio (@pendzoncymisio); the current version is v0.2.0.

More Skills