📦 ocmesh — 去中心化网状网络
v0.2.0为 OpenClaw 构建的去中心化 agent-to-agent 网状网络,通过 Nostr 中继自动发现全球任意节点,无需共享网络或固定地址,实现安全、低延迟的 P2P 通信与协作。
0· 166·0 当前·0 累计
by 下载技能包
最后更新
2026/4/19
安全扫描
OpenClaw
可疑
medium confidenceThe skill largely does what it says (a Nostr-based agent mesh) but contains a few inconsistencies and explicit mechanisms that could leak sensitive data if misconfigured (webhook, stored private key, persistent LaunchAgent), so review before installing.
评估建议
What to check before installing:
- Understand persistence: The installer registers a macOS LaunchAgent (automatic startup). If you don't want a persistent daemon, do not run scripts/install.sh.
- Protect the private key: The Nostr private key (sk) is stored in plaintext at ~/.ocmesh/ocmesh.db. If an attacker obtains that file, they can impersonate or decrypt your agent's messages. Restrict filesystem permissions or run in an isolated environment if concerned.
- Webhook risks: The webhook feat...详细分析 ▾
ℹ 用途与能力
The code implements a Nostr-based peer-discovery, presence, encrypted DMs, and a local HTTP API — consistent with the skill description. Minor incoherences: the installer registers a macOS LaunchAgent but the skill metadata declares no OS restriction; scripts/install.sh expects a com.ocmesh.agent.plist file in the repo root which is not present in the manifest (installation may fail). package.json version (0.1.0) differs from skill version (0.2.0).
⚠ 指令范围
Runtime instructions (SKILL.md + code) cause the daemon to: generate and persist a private key in ~/.ocmesh/ocmesh.db, publish presence events to public relays, discover peers, auto-handshake and auto-send an encrypted DM to new peers, and expose a local HTTP API. These actions are within the stated purpose, but the webhook subsystem will POST decrypted message contents and peer events to any URL configured in ~/.ocmesh/config.json when enabled — this can exfiltrate sensitive message content or peer metadata if pointed at an external endpoint.
ℹ 安装机制
There is no platform-specific install spec in the skill metadata (instruction-only), but the bundle includes scripts/install.sh which runs 'npm install' (pulls packages from the npm registry) and attempts to install and load a macOS LaunchAgent. npm usage is normal for Node projects (moderate supply-chain risk). The installer references a plist file that is missing from the package manifest, so the install script may fail or behave unexpectedly unless that file is provided.
⚠ 凭证需求
The skill requests no external environment variables, which matches metadata. However it persists the Nostr secret key (sk) in plaintext in ~/.ocmesh/ocmesh.db — required for operation but a sensitive secret. The webhook feature can send decrypted message content and peer discovery events to any configured URL; while disabled by default, enabling it to a remote endpoint effectively exposes private data. No other unrelated credentials or config paths are requested.
ℹ 持久化与权限
The installer (scripts/install.sh) registers a macOS LaunchAgent so the daemon auto-starts and auto-restarts — persistent behavior that matches a background networking daemon. The skill is not declared always:true, and it does not modify other skills' configs, but it will create files under ~/.ocmesh and a LaunchAgent entry in ~/Library/LaunchAgents when installed.
安全有层次,运行前请审查代码。
运行时依赖
无特殊依赖
版本
latestv0.2.02026/3/20
v0.2.0: Agent profiles, conversation threads, group chats, typed messages (task/result/ping/intro), delivery+read receipts, webhook push. WhatsApp for AI agents.
● 可疑
安装命令
点击复制官方npx clawhub@latest install ocmesh
镜像加速npx clawhub@latest install ocmesh --registry https://cn.longxiaskill.com