← 返回 Skills 市场
cshirley001

Antenna

作者 Corey Shirley · GitHub ↗ · v1.3.4 · MIT-0
cross-platform ⚠ suspicious
307
总下载
0
收藏
1
当前安装
24
版本数
在 OpenClaw 中安装
/install antenna
功能描述
Inter-host OpenClaw session messaging over reachable HTTPS using built-in gateway webhook hooks. Use when: (1) sending a message from this OpenClaw instance...
使用说明 (SKILL.md)

Antenna — Inter-Host OpenClaw Messaging (v1.3.4)

Send messages between OpenClaw instances over reachable HTTPS via the built-in /hooks/agent webhook.

Prerequisites

Each participating host needs:

  1. OpenClaw gateway running with hooks enabled (hooks.enabled: true)
  2. A reachable HTTPS endpoint for /hooks/agent
  3. Antenna agent registered in gateway config (agents section)
  4. hooks.allowedAgentIds includes "antenna"
  5. hooks.allowedSessionKeyPrefixes includes "hook:antenna"
  6. Host-specific Antenna config in:
    • antenna-config.json
    • antenna-peers.json

Normal path:

  • Run antenna setup to generate the live runtime files.
  • Use antenna-config.example.json and antenna-peers.example.json as tracked reference templates only.

Notes:

  • Peers do not need to share one tailnet or one central hub.
  • Tailscale Funnel is a convenient default, but reverse proxies, VPS/domain-hosted HTTPS, Cloudflare Tunnel, and similar paths also work.

Architecture

Messages flow through a script-first relay pipeline:

  1. Sender runs antenna-send.sh which builds an [ANTENNA_RELAY] envelope and POSTs it to the recipient's /hooks/agent endpoint.
  2. Recipient gateway dispatches to the dedicated Antenna agent.
  3. Antenna agent writes the raw inbound message to a temp file using the write tool (structured API call, no shell metacharacter concerns).
  4. Antenna agent execs antenna-relay-file.sh with the file path — the script feeds the message to antenna-relay.sh which deterministically parses, validates, and formats it.
  5. Antenna agent calls sessions_send to inject the formatted message into the target session.
  6. Message appears persistently in the target conversation thread.

The LLM never performs relay parsing, encoding, or transformation; the scripts do all processing.

Trust Model

Antenna trust is layered:

  • Peer URL — where to reach that installation
  • Hook bearer token — protects webhook ingress
  • Per-peer runtime identity secret — authenticates claimed sender identity when configured. Verified via constant-time comparison; no plaintext secrets land in relay logs.
  • Peer allowlists — explicit inbound and outbound peer lists
  • Inbound session allowlist — limits where inbound relay may deliver (full session keys only)
  • Envelope marker guard — messages whose bodies or header values contain the envelope markers [ANTENNA_RELAY] / [/ANTENNA_RELAY] are rejected as malformed (prevents envelope smuggling)
  • Message freshness window — each message carries a timestamp:; stale or future-dated messages are rejected. Defaults: 300s max age, 60s max future skew. Tunable via .security.max_message_age_seconds and .security.max_future_skew_seconds.
  • Rate limiting — per-peer and global throttles
  • Untrusted-input framing — reminds receiving agents the relayed content may be external
  • Log sanitization — peer-supplied values stripped of control characters before logging
  • File-permission auditantenna status flags any token/secret file looser than chmod 600
  • Self-id required — sender refuses to run without self_id configured; it does not fall back to $(hostname)

For peer onboarding, Antenna now prefers Layer A encrypted bootstrap exchange using age. Legacy raw-secret export refuses non-TTY output (no piping runtime identity secrets into captured automation).

Configuration

Live runtime files are local installation state:

  • antenna-config.json
  • antenna-peers.json

Tracked reference files live beside them:

  • antenna-config.example.json
  • antenna-peers.example.json

Use antenna setup for normal installation; use the *.example.json files for schema reference or manual recovery.

antenna-config.json

{
  "max_message_length": 10000,
  "default_target_session": "agent:betty:main",
  "relay_agent_id": "antenna",
  "relay_agent_model": "openai/gpt-5.4-nano",
  "local_agent_id": "\x3Cyour-agent-id>",
  "install_path": "\x3Cabsolute-path-to-this-skill-directory>",
  "log_enabled": true,
  "log_path": "antenna.log",
  "log_max_size_bytes": 10485760,
  "log_verbose": false,
  "mcs_enabled": false,
  "mcs_model": "sonnet",
  "inbox_enabled": false,
  "inbox_auto_approve_peers": [],
  "inbox_queue_path": "antenna-inbox.json",
  "allowed_inbound_sessions": ["agent:betty:main", "agent:betty:antenna"],
  "allowed_inbound_peers": ["\x3Cpeer-a>", "\x3Cpeer-b>"],
  "allowed_outbound_peers": ["\x3Cpeer-a>", "\x3Cpeer-b>"],
  "rate_limit": {
    "per_peer_per_minute": 10,
    "global_per_minute": 30
  },
  "security": {
    "max_message_age_seconds": 300,
    "max_future_skew_seconds": 60
  }
}

Key fields:

  • relay_agent_model — use a full provider/model ID, not a local alias
  • local_agent_id — used by local CLI conveniences when expanding bare names to full session keys like agent:\x3Cid>:main
  • install_path — absolute path to this skill directory
  • allowed_inbound_sessions — inbound delivery allowlist (full session keys, e.g. agent:betty:main)
  • allowed_inbound_peers / allowed_outbound_peers — peer allowlists
  • rate_limit.* — inbound abuse controls
  • security.max_message_age_seconds / max_future_skew_seconds — freshness-window tolerance (defaults shown; omit the block to use defaults)

antenna-peers.json

{
  "\x3Cyour-host-id>": {
    "url": "https://\x3Cyour-reachable-hostname>",
    "token_file": "secrets/hooks_token_\x3Cyour-host-id>",
    "peer_secret_file": "secrets/antenna-peer-\x3Cyour-host-id>.secret",
    "exchange_public_key": "age1...",
    "agentId": "antenna",
    "display_name": "My Host",
    "self": true
  },
  "\x3Cremote-peer-id>": {
    "url": "https://\x3Cremote-reachable-hostname>",
    "token_file": "secrets/hooks_token_\x3Cremote-peer-id>",
    "peer_secret_file": "secrets/antenna-peer-\x3Cremote-peer-id>.secret",
    "exchange_public_key": "age1...",
    "agentId": "antenna",
    "display_name": "Remote Host"
  }
}

Key fields:

  • url — reachable HTTPS hook base URL
  • token_file — bearer token for that peer
  • peer_secret_file — per-peer runtime identity secret
  • exchange_public_key — peer's age public key for Layer A exchange
  • self — marks the local host entry

Usage

Send a message

scripts/antenna-send.sh \x3Cpeer> "Your message here"
antenna msg \x3Cpeer> "Your message here"                              # recipient resolves target session
antenna msg \x3Cpeer> --subject "Config sync" "Here's the block you need..."
antenna msg \x3Cpeer> --session "agent:\x3Cagent-id>:mychannel" "Your message"  # explicit session override
echo "Long message body..." | antenna send \x3Cpeer> --stdin
antenna send \x3Cpeer> --dry-run "Test message"

Session resolution: When --session is omitted, target_session is left out of the envelope entirely. The recipient resolves from their own default_target_session config. You don't need to know another host's internal session layout.

Peer pairing (interactive wizard)

antenna pair                          # Full interactive wizard
antenna pair --peer-id myserver       # Pre-fill peer ID

The wizard walks through keypair generation, public key sharing, optional ClawReef invite, bundle creation, optional bundle email send when mail tooling is available, exchange, connectivity test, and first message — with Next/Skip/Quit at each step. Also auto-offered at the end of antenna setup.

Peer onboarding / bootstrap exchange (manual)

Preferred encrypted flow:

antenna peers exchange keygen
antenna peers exchange pubkey
antenna peers exchange initiate \x3Cpeer-id> --pubkey \x3Cage1...> --print
antenna bundle verify \x3Cbundle-file>                         # read-only: decrypt & sanity-check before importing
antenna bundle verify \x3Cbundle-file> --json                  # machine-readable verdict
antenna bundle verify \x3Cbundle-file> --force-expired         # inspect a past-expiry bundle without importing
antenna bundle verify \x3Cbundle-file> --no-decrypt            # treat file as already-decrypted bundle JSON
antenna peers exchange import \x3Cbundle-file>                 # refuses expired bundles
antenna peers exchange import \x3Cbundle-file> --force-expired # disaster-recovery override
antenna peers exchange reply \x3Cpeer-id>

Optional direct-send convenience (email):

antenna peers exchange initiate \x3Cpeer-id> \
  --pubkey \x3Cage1...> \
  --email [email protected] \
  --send-email [--account \x3Chimalaya-account-name>]

Legacy/manual fallback:

antenna peers exchange \x3Cpeer-id> --export         # interactive TTY only; refuses to pipe secrets
antenna peers exchange \x3Cpeer-id> --import \x3Cfile>
antenna peers exchange \x3Cpeer-id> --import-value \x3Chex>

Peer registry updates:

antenna peers add \x3Cpeer-id> --url \x3Chttps-url> --token-file \x3Cpath>   # first time only
antenna peers add \x3Cpeer-id> --url \x3Cnew-url> --force                 # update existing: merges only the flags you pass

Notes:

  • Secure Layer A requires age and age-keygen
  • Export never materializes plaintext bundle JSON on disk; jq streams directly into age. Import decrypts to a temp file but cleans up on return, validation failure, preview failure, write failure, and Ctrl-C (SIGINT/SIGTERM).
  • antenna bundle verify \x3Cfile> is a read-only sanity check — it decrypts in place, validates shape / endpoint URL / freshness, and prints a safe summary (never the raw hooks token or identity secret). It never writes to antenna-peers.json or antenna-config.json. Use it before peers exchange import when a bundle comes from an untrusted or unclear channel.
  • Expired bundles are refused by default; use --force-expired only for genuine disaster recovery.
  • Optional direct-send requires himalaya. The sender email is resolved from your Himalaya TOML config (${HIMALAYA_CONFIG:-~/.config/himalaya/config.toml}, [accounts.\x3Cname>] email = "...") — there is no antenna@localhost fallback and no free-text From: override. Pass --account \x3Cname> to pick a specific configured account; interactive flows use selection-only UX.
  • Email is convenience transport only, not part of the trust model.
  • Import shows a preview and asks before allowlist changes unless --yes is used.
  • antenna peers add refuses to overwrite an existing peer without --force; --force does a field-level merge so unspecified peer fields (including exchange_public_key, self, and any future metadata) are preserved.
  • antenna peers remove prunes peer-scoped allowlist entries (allowed_inbound_peers, allowed_outbound_peers, peer-scoped inbound sessions) so removing a peer does not leave stale allowlist debris behind. Peer secret files are intentionally left in place; secret deletion is an explicit operator action (see antenna doctor section 6b for secrets-hygiene warnings about leftover files).

Session allowlist management

antenna sessions list                             # Show allowed inbound session targets
antenna sessions add antv3                        # Bare name → auto-expanded to agent:\x3Clocal>:antv3
antenna sessions add "agent:marie:lab1"            # Cross-agent: use full session key
antenna sessions remove antv3                     # Remove (bare names are expanded)
antenna sessions remove "agent:betty:main" --force # Core sessions need --force

Controls which session targets inbound messages can request via allowed_inbound_sessions in antenna-config.json.

Convention: full session keys everywhere. The allowlist stores full keys like agent:betty:main and agent:marie:lab1. The relay requires full keys from senders — bare names are rejected. The CLI auto-expands bare names to agent:\x3Clocal_agent>:\x3Cname> for convenience when adding/removing, but the stored value is always the full key.

Core sessions (agent:\x3Clocal>:main, agent:\x3Clocal>:antenna) are protected from removal unless --force is used. Supports batch add/remove.

Health and status

antenna doctor
antenna uninstall --dry-run
antenna uninstall
antenna peers list
antenna peers test \x3Cid>
antenna status
antenna log --tail 50

antenna doctor includes warn-only drift audits that complement the hard config/permission checks:

  • Section 1b — Peer-State Drift. Audits allowed_inbound_peers, allowed_outbound_peers, and peer-scoped inbound sessions in antenna-config.json against antenna-peers.json. Orphan peer IDs (allowlist entries for peers that no longer exist) are warnings, never failures. Catches the nexus / bruce-era debris class automatically.
  • Section 6b — Secrets Directory Hygiene. File-side counterpart to 1b. Warns on orphan peer-scoped secret / token files in secrets/ (antenna-peer-\x3Cid>.secret, hooks_token_\x3Cid>, peer_secret_\x3Cid> whose \x3Cid> is no longer in antenna-peers.json), backup-pattern leftovers (.bak*, .backup*, ~, .old), loose secrets/ directory permissions (target 700), loose per-file permissions on secret-shaped files (target 600), and unknown-shape files inside secrets/.

Testing

antenna test \x3Cmodel>
antenna test-suite --tier A
antenna test-suite --model \x3Cm>
antenna test-suite --models "\x3Cm1>,\x3Cm2>"
antenna test-suite --report

Model tests emit a per-run TEST_NONCE and match both success and pre-delivery rejections by that nonce, so parallel or historical runs cannot contaminate each other's verdicts and auth / peer / rate-limit failures return promptly instead of waiting for the full timeout. Tests drive gateway config through the CLI/helper path with a single batched restart rather than restarting per operation.

Inbox (optional approval queue)

When inbox_enabled is true in config, inbound messages from peers not in inbox_auto_approve_peers are queued for review instead of being relayed immediately. Auto-approved peers bypass the queue and relay instantly (current behavior).

antenna inbox                        # list pending messages (table view)
antenna inbox count                  # pending count (for heartbeat/cron checks)
antenna inbox show \x3Cref>             # full message body for a ref
antenna inbox approve all            # approve everything pending
antenna inbox approve 1,3,5-7       # selective approval (commas and ranges)
antenna inbox deny all               # reject everything pending
antenna inbox deny 2,4               # selective denial
antenna inbox drain                  # output delivery JSON for approved, remove denied
antenna inbox clear                  # purge all processed items

Delivery flow: antenna inbox drain outputs one JSON line per approved message with sessionKey and message fields. The calling agent (your primary assistant) reads these and calls sessions_send for each. This avoids re-entering the relay agent via /hooks/agent.

Configuration:

{
  "inbox_enabled": false,
  "inbox_auto_approve_peers": ["trusted-peer-id"],
  "inbox_queue_path": "antenna-inbox.json"
}

Notes:

  • Disabled by default — existing behavior is unchanged
  • Auto-approve list lets trusted peers bypass the queue (progressive trust)
  • Queue file is local runtime state (gitignored)
  • Ref numbers auto-increment and support range selection
  • When inbox is enabled, the relay agent only needs exec (not sessions_send), reducing its required permissions

Heartbeat / cron integration:

Add to your HEARTBEAT.md:

## Antenna inbox check
- Run: `antenna inbox count`
- If > 0: run `antenna inbox list` and mention it

Or set up a cron job for automated handling:

Check antenna inbox. If there are pending messages from peers
in [trusted-peer-id], approve and drain them. For anything else,
summarize the queue and ask me.

Conversational usage: Ask your assistant "any Antenna messages waiting?" — it can run antenna inbox list, you review, then say "approve 1 and 3, deny 2" and it handles the rest.

ClawReef — Peer Discovery

clawreef.io is the optional community registry for Antenna hosts:

  • Discover peers — browse and search the directory
  • Send invites — ClawReef delivers them via Antenna to the recipient's default session
  • Accept & pair — accepting an invite starts the normal antenna pair flow locally

ClawReef stores webhook credentials (hooksToken, identitySecret) for push delivery alongside public keys and endpoints — standard webhook-provider behavior. It does not store messages, private age keys, or message content. All trust decisions remain local to Antenna.

The pairing wizard (antenna pair) offers ClawReef invites as an alternative to manual encrypted exchange. Setup also displays ClawReef info after completion.

Security Notes

  • Relay agent is script-first and non-interpreting
  • Inbound sessions are allowlisted (full session keys only)
  • Sender peer must be allowlisted on both inbound and outbound sides
  • Per-peer identity secret can authenticate sender claims; comparison is constant-time
  • Envelope marker guard rejects messages whose bodies or headers contain [ANTENNA_RELAY] / [/ANTENNA_RELAY]
  • Message freshness window rejects stale or future-dated envelopes (defaults: 300s age, 60s future skew)
  • Sender refuses to run without configured self_id (no $(hostname) fallback)
  • Legacy raw-secret export refuses non-TTY output
  • Encrypted bundle export never writes plaintext; encrypted bundle import cleans up plaintext on every exit path (return / fail / SIGINT / SIGTERM)
  • Expired encrypted bundles are refused at import (--force-expired is the disaster-recovery override)
  • Email send for bootstrap/pubkey resolves sender address from Himalaya TOML config; no antenna@localhost fallback, no free-text From: override
  • Tokens and secrets are file-backed and should be chmod 600; antenna status audits permissions
  • Relay temp files are created with umask 077, chmod 0600, and shredded before unlink on cleanup
  • Setup preserves an existing gateway hooks.token rather than overwriting it
  • Relayed content is framed as potentially untrusted input
  • Rate limiting throttles inbound bursts; transaction locking protects inbox and rate-limit state under concurrent access

Troubleshooting

  • Gateway won't start: Run antenna doctor
  • Want a clean slate: Run antenna uninstall (use --dry-run first if you want a preview)
  • 401 Unauthorized: wrong hook bearer token
  • 403 Forbidden: session prefix/agent restrictions or peer policy mismatch
  • Relay rejected: peer not allowlisted, session not allowlisted, or identity secret mismatch
  • Relay rejected: timestamp out of range (stale|future): peer clock skew exceeds freshness window; sync clocks or widen .security.max_message_age_seconds / .security.max_future_skew_seconds
  • Relay rejected: marker in body|headers: envelope-marker guard working as intended; rephrase or encode any literal [ANTENNA_RELAY] / [/ANTENNA_RELAY] content
  • self-id not configured - run antenna setup: sender is missing host identity in antenna-config.json; there is no $(hostname) fallback
  • Encrypted exchange fails immediately: age / age-keygen missing
  • Bundle expired - refusing import: request a fresh bundle from the peer, or pass --force-expired only for disaster recovery. To inspect an expired bundle without importing, use antenna bundle verify \x3Cfile> --force-expired.
  • antenna bundle verify: decrypt failed: the bundle was encrypted for a different age public key than yours. Ask the peer to re-initiate against your current antenna peers exchange pubkey.
  • antenna bundle verify: endpoint URL rejected: the bundle's from_endpoint_url is not a valid HTTPS URL (e.g. main, bare host). Refuse to import; ask the peer to regenerate after fixing their self-peer URL.
  • antenna doctor: self-peer URL is not a valid URL: your own self peer entry has a malformed url. Fix it in antenna-peers.json or rerun antenna setup with a valid --url \x3Chttps://host>. REF-1313 now rejects malformed URLs at input time, but stale pre-fix entries still need to be corrected.
  • antenna doctor: orphan peer references in config allowlists (warning, section 1b): allowlists in antenna-config.json reference peer IDs that no longer exist in antenna-peers.json. Remove the stale IDs with antenna peers remove \x3Cid> on any current peer (which also prunes its allowlist entries), or edit antenna-config.json directly.
  • antenna doctor: orphan secret file / stale backup file / secrets/ dir is not 700 (warnings, section 6b): hygiene findings on the secrets/ directory. None of these can authenticate a peer that isn't in the registry, but they are real leak-surface / drift signals. Move orphan files to secrets.retired/ (or delete), rotate or remove .bak* leftovers, and run chmod 700 secrets/ / chmod 600 secrets/\x3Cfile> to tighten permissions.
  • Email send fails: could not resolve email for account: add email = "..." under [accounts.\x3Cname>] in your Himalaya TOML config, or pass --account \x3Cother> to pick a configured account that has an email set
  • Email send fails: himalaya not installed: install himalaya or fall back to sending the bundle file by hand
  • Legacy export refused - not a TTY: antenna peers exchange \x3Cpeer> --export must run in an interactive terminal; switch to antenna peers exchange initiate for automated or remote operator handoff
  • Message sent but not visible: ensure tools.sessions.visibility = "all" and tools.agentToAgent.enabled = true on the receiver; the relay agent uses cross-agent sessions_send, which requires both settings. Also ensure sandbox: { mode: "off" } on the Antenna agent — sandboxed sessions silently clamp visibility to tree, blocking cross-agent delivery
  • Exec denied / allowlist miss: ensure relay agent instructions use only simple commands (no $(...), heredocs, or chaining); the antenna-relay-file.sh wrapper accepts a file path only
  • Repeated approval prompts: ensure Antenna agent has sandbox: { mode: "off" } in registration. Default advice is not to set tools.exec.security or tools.exec.ask on the Antenna agent — explicit exec overrides cause silent relay failure (fixed in v1.2.14). If you've intentionally customized tools.exec on the agent, setup reruns now preserve your overrides instead of wiping them.
  • antenna peers add refuses to update an existing peer: by design — pass --force to update fields on a paired peer; without it, the command refuses to clobber trust material

File Inventory

skills/antenna/
├── SKILL.md
├── README.md
├── CHANGELOG.md
├── antenna-config.example.json
├── antenna-peers.example.json
├── antenna-peers.json
├── antenna-config.json
├── antenna.log
├── install.sh
├── bin/
│   └── antenna.sh
├── scripts/
│   ├── antenna-send.sh
│   ├── antenna-relay.sh
│   ├── antenna-relay-file.sh           # v1.1.8 — file-based relay input (preferred)
│   ├── antenna-relay-exec.sh            # v1.1.6 — base64 wrapper (legacy fallback)
│   ├── antenna-pair.sh                  # v1.1.9 — interactive peer pairing wizard
│   ├── antenna-health.sh
│   ├── antenna-peers.sh
│   ├── antenna-doctor.sh
│   ├── antenna-exchange.sh
│   ├── antenna-inbox.sh
│   ├── antenna-model-test.sh
│   └── antenna-test-suite.sh
├── references/
│   ├── ANTENNA-RELAY-FSD.md          # Relay architecture contract
│   └── issues.md                      # Known issues / gaps tracker
├── docs/                               # Repo-only (operator / historical)
│   ├── full-removal-checklist.md
│   ├── SECURITY-ASSESSMENT-v1.0.20.md
│   ├── RED-TEAM-REPORT-v1.0.4.md
│   ├── LAYER-A-SECRET-EXCHANGE-PLAN.md
│   └── SECRET-EXCHANGE-OPTIONS.md
└── agent/
    ├── AGENTS.md
    └── TOOLS.md

Notes:

  • antenna-config.json, antenna-peers.json, and antenna-inbox.json are local runtime files (gitignored)
  • antenna-config.example.json and antenna-peers.example.json are tracked reference templates

Gateway / Agent Registration

antenna setup handles all of this automatically and is safe to rerun (e.g., after a clawhub update). Setup forces sandbox.mode = "off" and seeds a default tools.deny list only when absent. It preserves an existing gateway hooks.token and, on rerun, preserves any tools.exec overrides the operator has intentionally set on the Antenna agent.

On each host:

  • agent antenna registered in OpenClaw config under agents with:
    • agentDir and workspace both pointing to the Antenna agent/ directory
    • sandbox: { mode: "off" } (required — sandbox silently clamps session visibility, breaking cross-agent relay)
    • restrictive tools.deny (block web, browser, image, cron, memory tools)
    • Default advice: do not set tools.exec.security or tools.exec.ask on the Antenna agent — explicit exec overrides cause silent relay failure (see v1.2.14 changelog). If you've intentionally customized these, setup reruns now preserve your overrides rather than wiping them.
  • hooks.allowedAgentIds includes "antenna"
  • hooks.allowedSessionKeyPrefixes includes "hook:antenna"
  • tools.sessions.visibility set to "all" (required for cross-agent sessions_send)
  • tools.agentToAgent.enabled set to true

Support

安全使用建议
What to consider before installing Antenna: - This package contains many scripts that will write local runtime state (antenna-config.json, antenna-peers.json) and plaintext secret files under a secrets/ directory. Confirm you are comfortable with secrets at rest (permissions are 600 by default) and that the host filesystem is trusted. - SKILL.md specifies a postInstall step that runs the bundled setup wizard. That setup will modify gateway/agent configuration (hooks token, agent registration). Prefer running setup manually so you can review changes and back up your gateway config first. - The project explicitly requires the Antenna relay agent to run with sandboxing disabled (sandbox: off) to allow sessions_send. This increases privilege — review the reasoning and consider restricting the agent's tools.deny list and monitoring its activity if you proceed. - The registry metadata did not declare required config paths or credentials, yet the skill reads/writes gateway config and references Himalaya/age config. Treat this as a metadata mismatch: inspect scripts (scripts/antenna-setup.sh, scripts/antenna-relay*.sh, bin/antenna.sh, install.sh) to verify exactly what files/paths will be touched. - If you cannot audit the scripts yourself, request the maintainer to: (1) clearly declare required config paths and privileges in the registry metadata, (2) offer a non-interactive dry-run of setup that prints planned changes, and (3) remove or make optional the postInstall automatic setup. In short: Antenna appears coherent with its advertised function, but its need to modify gateway/agent configuration, run with sandbox off, and store plaintext secrets are elevated actions that should be audited and consented to explicitly before installing.
功能分析
Type: OpenClaw Skill Name: antenna Version: 1.3.4 The 'antenna' skill is a robust and well-documented framework for inter-host messaging between OpenClaw instances. It implements a script-first relay architecture that uses deterministic Bash scripts (e.g., antenna-relay.sh) to parse and validate messages, ensuring the LLM does not interpret untrusted content. The skill includes significant security hardening, such as encrypted bootstrap exchanges using 'age' (antenna-exchange.sh), constant-time secret comparisons, rate limiting, and comprehensive diagnostic tools (antenna-doctor.sh). While it requires disabling the OpenClaw sandbox for the relay agent to enable cross-agent delivery, it mitigates this with restrictive tool allowlists and explicit security framing. No evidence of malicious intent, data exfiltration, or unauthorized persistence was found.
能力标签
cryptorequires-walletrequires-oauth-tokenrequires-sensitive-credentials
能力评估
Purpose & Capability
The skill's name/description match the included scripts and behavior (HTTPS webhook relay, peer registry, bootstrap via age). However the package expects to read and modify gateway/agent configuration (hooks, agent registration, tools.exec) and to write local secret files — yet the registry metadata declares no required config paths or credentials. That mismatch (no declared config paths while SKILL.md and scripts modify gateway/agent state) is disproportionate and unexplained.
Instruction Scope
SKILL.md and agent/AGENTS.md instruct writing inbound messages to disk, exec'ing local relay scripts, and calling sessions_send. They also describe modifying gateway hooks, registering an Antenna agent, and onboarding which writes tokens/peer secrets. The documentation explicitly requires the Antenna agent to run with sandbox: { mode: "off" } and recommends not enabling certain exec security features — this expands scope beyond a simple messaging helper and grants the skill the ability to change platform config and run unsandboxed scripts.
Install Mechanism
There is no external download in the manifest (scripts are bundled), which reduces supply-chain risk. However SKILL.md declares a postInstall hook that runs 'bash skills/antenna/bin/antenna.sh setup' automatically; that setup script will perform gateway/agent wiring and can be interactive. Automatic post-install setup that modifies system/gateway config is a noteworthy behavior and should be expected by the operator.
Credentials
Registry metadata lists no required env vars or primary credential, but the skill writes and reads plaintext hooks tokens and per-peer secrets (stored under secrets/, audited to chmod 600). Scripts reference HOME/XDG_CONFIG/HIMALAYA_CONFIG and gateway config paths; they will read and potentially modify host gateway/agent configs. Storing tokens/secrets unencrypted on disk and not declaring required config access is disproportionate to the metadata and increases risk if the host filesystem is shared or compromised.
Persistence & Privilege
The skill requires persistent runtime state (antenna-config.json, antenna-peers.json, secrets/) and its docs explicitly require the Antenna agent to run with sandboxing disabled (sandbox: off) to allow sessions_send semantics. Disabling sandboxing for an agent and altering gateway hooks/agent registration are elevated privileges compared with typical skills and broaden the blast radius if the skill or host is misused.
如何使用
  1. 确保已安装 OpenClaw(本地或 Docker 部署)
  2. 在对话框中输入安装命令:/install antenna
  3. 安装完成后,直接呼叫该 Skill 的名称或使用 /antenna 触发
  4. 根据 Skill 的参数说明提供必要输入,即可获得结构化输出
版本历史
v1.3.4
Diagnostics + hygiene roll-up (REF-1312/1313/2000/2001/2002/2003).
v1.3.3
- Incremented version to 1.3.3 - Updated documentation files (README.md, SKILL.md) and changelog to reflect latest usage and setup instructions - No core code or functional changes; release focuses on improved documentation and guidance
v1.3.2
**Small release with documentation updates.** - Updated version to 1.3.2 in SKILL.md and documentation. - No functionality or code changes—documentation and metadata only.
v1.3.1
**Major security and reliability update, with new controls and protocol hardening.** - Introduced strict envelope marker validation, constant-time secret checks, and explicit session/peer allowlists for robust relay security. - Enforced message freshness windows (anti-replay via timestamp max age/skew, tunable), rate limits, and peer identity requirements. - Expanded configuration schema: added `security`, inbox-, and log-management fields; documented new defaults and overrides. - Overhauled relay parsing logic to reject malformed/smuggled messages and log/sanitize untrusted fields. - Added file-permission audit and stricter refusal of unsafe or ambiguous bootstrap/secret handling paths. - Numerous new and updated test cases, plus updated and reorganized documentation and references.
v1.2.21
Issue #17: session resolution fix + docs sweep. Sender omits target_session when --session not provided; recipient resolves from own config. README v1.2.7→v1.2.20, User Guide v1.2→v1.2.20, FSD/SKILL.md updated, surface manifest green. Tier A 15/15.
v1.2.20
v1.2.20: relay temp-file hardening, inbox/rate-limit locking, peer/config iteration hardening, refreshed validation/docs, known note about sessions_send timeout semantics in Control UI when delivery still succeeds.
v1.2.19
antenna sessions CLI + full session key convention
v1.2.18
Docs/config cleanup: remove stale ownerDisplay and exec-override guidance, correct trust-model claims, fix install paths, update GitHub URLs, document actual config requirements (sessions.visibility, agentToAgent, sandbox off)
v1.2.17
- Added support for optional bundle email sending during peer pairing wizard when mail tooling is available. - Documentation update: the peer pairing wizard now notes optional direct bundle email sending. - Bumped version to 1.2.17.
v1.2.16
- Version bump to 1.2.16. - Updated `SKILL.md` and metadata to reflect the new version. - No major feature or functionality changes included in this update.
v1.2.15
Antenna v1.2.15 - Updated version references to 1.2.15 in documentation. - No functional or code changes; documentation version bump only.
v1.2.14
- Bump version to 1.2.14. - Update SKILL.md for version and documentation improvements. - Minor internal documentation and changelog updates.
v1.2.13
Fix relative token_file path resolution causing false 401 errors
v1.2.12
Fresh-install setup hint and fix for second-run self-healing permission crash
v1.2.11
Setup guard: unconfigured installs now print a clear next-step hint instead of crashing
v1.2.10
Add postInstall hint for ClawHub CLI
v1.2.9
Self-healing permissions on first run; install.sh no longer required. Simplified two-command onboarding: clawhub install antenna && bash skills/antenna/bin/antenna.sh setup
v1.2.8
Fix pairing wizard crash (stale bin/antenna path) and dangling CLI symlink after uninstall --purge-skill-dir
v1.2.7
feat: support contact info ([email protected]), SECURITY.md, Getting Help section in README/docs/install.sh/doctor
v1.2.6
feat: add install.sh post-install bootstrap — fixes ClawHub permission issue and offers to run setup
元数据
Slug antenna
版本 1.3.4
许可证 MIT-0
累计安装 1
当前安装数 1
历史版本数 24
常见问题

Antenna 是什么?

Inter-host OpenClaw session messaging over reachable HTTPS using built-in gateway webhook hooks. Use when: (1) sending a message from this OpenClaw instance... 它是一个面向 Claude Code / OpenClaw 的 AI Agent Skill 插件,目前累计下载 307 次。

如何安装 Antenna?

在 OpenClaw 或 Claude Code 对话框中运行命令「/install antenna」即可一键安装,无需额外配置。

Antenna 是免费的吗?

是的,Antenna 完全免费,采用 MIT-0 许可证,可自由下载、安装和使用。

Antenna 支持哪些平台?

Antenna 跨平台运行,可在任意部署了 OpenClaw / Claude Code 的环境中使用(cross-platform)。

谁开发了 Antenna?

由 Corey Shirley(@cshirley001)开发并维护,当前版本 v1.3.4。

推荐 Skills
self-improving agent
Captures learnings, errors, and corrections to enable continuous improvement. Use when: (1) A command or operation fails unexpectedly, (2) User corrects Clau...
⬇ 463283 · by pskoett
Skill Vetter
Security-first skill vetting for AI agents. Use before installing any skill from ClawdHub, GitHub, or other sources. Checks for red flags, permission scope, and suspicious patterns.
⬇ 259410 · by spclaudehome
Polymarket
Query Polymarket prediction markets. Check odds, find trending markets, search events, track price movements.
⬇ 232503 · by joelchance
Self-Improving + Proactive Agent
Self-reflection + Self-criticism + Self-learning + Self-organizing memory. Agent evaluates its own work, catches mistakes, and improves permanently. Use when...
⬇ 200423 · by ivangdavila
Github
Interact with GitHub using the `gh` CLI. Use `gh issue`, `gh pr`, `gh run`, and `gh api` for issues, PRs, CI runs, and advanced queries.
⬇ 191115 · by steipete
ontology
Typed knowledge graph for structured agent memory and composable skills. Use when creating/querying entities (Person, Project, Task, Event, Document), linkin...
⬇ 190156 · by oswalpalash

💬 留言讨论