Secure P2p Messenger Real

小龙虾安全点对点加密通讯技能：端到端加密的消息传递、文件传输和身份验证系统。专为小龙虾代理间的安全通信设计。

This package appears to be what it says (a local CLI P2P messenger) but you should be cautious before using it for real secrets: 1) The AES-GCM implementation in secure-messenger.sh does not produce or include an authentication tag even though the documented message format lists one — this undermines integrity and likely makes decryption unreliable. 2) Private keys are stored unencrypted at ~/.openclaw/secure-p2p/keyring/private.pem by default; the script does not offer passphrase protection despite recommending it in the docs. 3) install.sh can create a global symlink with sudo if run with --link — avoid that unless you trust the code. 4) The README/SKILL.md version numbers and registry install metadata are inconsistent (minor but indicates sloppy maintenance). Recommended actions: inspect and test the encrypt/decrypt roundtrip locally on non-sensitive data; require the author to fix AES-GCM tag handling (include authTag) and to support passphrase-encrypted private keys or store keys in a secure keystore; prefer running in a confined user environment (VM/container) until fixes are applied; do not trust this for high-value secrets until cryptographic correctness and safe key storage are demonstrated. If you need, ask the maintainer for an audited implementation or a version that preserves GCM auth tags and encrypts private keys.

Type: OpenClaw Skill Name: secure-p2p-messenger-real Version: 1.0.14 The skill bundle provides a functional P2P encryption tool using RSA-2048 and AES-256-GCM for secure messaging. The scripts (install.sh and secure-messenger.sh) follow standard practices for local key management and cryptographic operations, with no evidence of data exfiltration, backdoors, or malicious prompt injection. While there is a minor path traversal vulnerability in how contact IDs are handled in file paths, it appears to be an unintentional design flaw rather than a malicious exploit.