← 返回 Skills 市场
OpenClaw P2P
作者
ChenKuanSun
· GitHub ↗
· v0.3.0
1627
总下载
0
收藏
1
当前安装
3
版本数
在 OpenClaw 中安装
/install openclaw-p2p
功能描述
Decentralized peer-to-peer communication with other AI agents via Nostr. Use when you need to discover, call, or message other bots in the network.
安全使用建议
This skill claims to be a Nostr P2P communicator but has several red flags: (1) the package includes only a JS wrapper and documentation but not the compiled plugin (dist/index.js) the wrapper launches — that makes it either broken or dependent on an external artifact; (2) the wrapper's comments mention relay credentials (P2P_API_KEY) even though SKILL.md asserts 'No API key' and the manifest declares no required env vars; (3) the wrapper resolves the plugin path two levels up (outside the skill folder), which could cause it to execute code from an unexpected location on your system; (4) it will persist an identity file to your home directory and forward your entire environment to the plugin. Before installing or enabling this skill, ask the publisher for: a) the missing compiled artifact or a documented, trusted install mechanism (with checksum/signature), b) an explanation of which environment variables are actually required and why, c) confirmation of the relay endpoints that will be used and the scope of any API key required. If you cannot verify those, avoid installing the skill or run it in a tightly controlled sandbox with no sensitive env vars present. Because the skill can initiate network communication, do not enable it for autonomous agent runs until the above are resolved.
功能分析
Type: OpenClaw Skill
Name:
Developer:
Version:
Description: OpenClaw Agent Skill
Suspicious High-Entropy/Eval files: 1
The skill is classified as suspicious due to two primary risky capabilities. Firstly, the `SKILL.md` documentation describes a `sendfile` command that allows sending arbitrary base64-encoded content over the P2P network, which presents a direct vector for data exfiltration if the AI agent is prompted to read sensitive files and transmit them. Secondly, the `p2p.js` wrapper script passes the entire `process.env` to the underlying `index.js` plugin (which is not provided for analysis), granting it broad access to all environment variables, including potentially sensitive ones, without explicit filtering or justification within the provided code.
能力评估
Purpose & Capability
The SKILL.md claims a Nostr-based P2P communicator with no API keys required, but p2p.js documents environment variables (P2P_RELAY_URL, P2P_API_KEY, P2P_AGENT_ID, P2P_AGENT_NAME) that are plausibly needed to connect to relays. The manifest declares no required env vars or credentials, which is inconsistent with the code comments and expected network access.
Instruction Scope
Runtime instructions describe creating and persisting an identity at ~/.openclaw/p2p-identity.json and running the provided CLI wrapper to forward commands to a compiled plugin. That behavior is consistent with a P2P tool, but SKILL.md does not explain where the background service or the compiled plugin comes from. The commands only reference files under $HOME/clawd/skills/p2p-comm, while the wrapper resolves a dist entrypoint outside the skill folder (two levels up), an unexplained divergence.
Install Mechanism
There is no install spec but p2p.js delegates to a compiled artifact at ../.. /dist/index.js which is not present in the package. Expectation of a pre-existing or out-of-band 'dist/index.js' (and a background service) is a packaging gap and raises risk: either the package is incomplete (broken) or it will execute code from a location outside the skill directory if such a file exists on the system.
Credentials
Manifest lists no required environment variables, yet p2p.js documents P2P_RELAY_URL and P2P_API_KEY (sensitive) and agent identifiers. Requesting a relay API key is plausible but it is not declared or explained in SKILL.md (where it states 'No API key'). This mismatch prevents the user from assessing what secrets would be exposed to the plugin at runtime.
Persistence & Privilege
The skill persists an identity file to ~/.openclaw/p2p-identity.json (documented in SKILL.md). 'always' is false and the skill does not request system-wide changes in the provided files, but persisting credentials/identity locally and network access to relays are privileged actions the user should consent to. The wrapper also forwards the entire environment to the underlying plugin, so any env secrets present would be available to that code.
如何使用
- 确保已安装 OpenClaw(本地或 Docker 部署)
- 在对话框中输入安装命令:
/install openclaw-p2p - 安装完成后,直接呼叫该 Skill 的名称或使用
/openclaw-p2p触发 - 根据 Skill 的参数说明提供必要输入,即可获得结构化输出
版本历史
v0.3.0
Nostr-based agent-to-agent discovery and encrypted communication
v0.2.1
Nostr-based agent-to-agent discovery and encrypted communication
v0.2.0
Initial release: Nostr-based agent-to-agent discovery and encrypted communication
元数据
常见问题
OpenClaw P2P 是什么?
Decentralized peer-to-peer communication with other AI agents via Nostr. Use when you need to discover, call, or message other bots in the network. 它是一个面向 Claude Code / OpenClaw 的 AI Agent Skill 插件,目前累计下载 1627 次。
如何安装 OpenClaw P2P?
在 OpenClaw 或 Claude Code 对话框中运行命令「/install openclaw-p2p」即可一键安装,无需额外配置。
OpenClaw P2P 是免费的吗?
是的,OpenClaw P2P 完全免费(开源免费),可自由下载、安装和使用。
OpenClaw P2P 支持哪些平台?
OpenClaw P2P 跨平台运行,可在任意部署了 OpenClaw / Claude Code 的环境中使用(cross-platform)。
谁开发了 OpenClaw P2P?
由 ChenKuanSun(@chenkuansun)开发并维护,当前版本 v0.3.0。
推荐 Skills