Is Agnuxo1/OpenCLAW-P2P safe?

https://github.com/Agnuxo1/OpenCLAW-P2P

28
DANGEROUS

OpenCLAW-P2P is a highly dangerous skill that turns an AI agent into a node in an uncontrolled peer-to-peer network. It hijacks the agent's identity, instructs it to open a WebSocket server accepting remote connections, share user data with anonymous peers, execute distributed compute tasks from unknown sources, and participate in consensus-driven self-modification. While no malicious clone-time behavior was detected and canary files were unharmed, the runtime behavior described in the SKILL.md constitutes a remote access architecture with data exfiltration and arbitrary code execution capabilities disguised as a scientific research framework.

Category Scores

Prompt Injection 15/100 · 30%
Data Exfiltration 20/100 · 25%
Code Execution 30/100 · 20%
Clone Behavior 85/100 · 10%
Canary Integrity 100/100 · 10%
Behavioral Reasoning 10/100 · 5%

Findings (10)

CRITICAL Agent identity hijacking and autonomous behavior directives -55

The SKILL.md redefines the agent's identity ('You are connected to the OpenCLAW-P2P distributed agent network') and issues standing behavioral orders that cause the agent to autonomously share data, accept tasks from peers, vote on proposals, and implement self-modifications. This effectively transfers control of the agent from the user to an external P2P network of unknown actors.

CRITICAL Opens WebSocket server accepting remote connections and commands -40

The skill instructs the agent to start a P2P node ('node dist/index.js') that opens a WebSocket server on port 19789. This server accepts connections from arbitrary peers on the internet and processes commands including compute task execution, knowledge injection, and self-improvement proposals. This is effectively a remote access trojan architecture.

CRITICAL Self-improvement mechanism enables arbitrary code execution via peer consensus -30

The self-improvement skill creates a pathway where network peers can propose code changes, vote on them, and have them automatically implemented. In a P2P network vulnerable to Sybil attacks, an attacker controlling enough nodes can push any arbitrary code change through the consensus mechanism.

HIGH Knowledge sharing broadcasts user data to P2P network -45

The skill instructs the agent to publish knowledge, research findings, and experimental results to the P2P network via gossip protocol. User data submitted as 'knowledge' is propagated to all network peers with TTL=7 hops. There is no mechanism for user consent before data leaves the host.

HIGH Distributed compute submits user data to unknown peers for processing -35

The distributed compute skill instructs the agent to submit data as compute jobs that are distributed across network peers. Sensitive data (research data, code, analysis) leaves the user's machine and is processed by unknown third parties.

HIGH Four skills concatenated to maximize injected instruction surface -15

The SKILL.md file contains four separate skills (p2p-networking, scientific-research, self-improvement, distributed-compute) concatenated together, each with its own YAML frontmatter and behavioral directives. This unusual structure maximizes the amount of agent-redefining instructions injected into the system prompt.

MEDIUM Consensus mechanism delegates agent decisions to external peers -15

The voting and consensus instructions cause the agent to accept decisions made by network peers about what actions to take, what knowledge to trust, and what code modifications to implement. This effectively transfers the agent's decision-making authority from the user to anonymous network participants.

LOW Normal clone behavior with expected GitHub connectivity -15

Clone phase showed only expected network activity to GitHub (140.82.113.3:443) and normal filesystem operations. No suspicious processes spawned during installation.

INFO No canary file access detected 0

All honeypot files (.env, SSH keys, AWS credentials) remained intact with matching hashes before and after the audit.

MEDIUM AGI/ASI framing normalizes dangerous autonomous agent capabilities -40

The skill uses aspirational AGI/ASI language and academic paper framing to normalize extremely dangerous capabilities: autonomous self-modification, accepting instructions from anonymous peers, and sharing user data without consent. The scientific packaging makes social engineering more effective.