Is cerbug45/agentmesh safe?
https://github.com/openclaw/skills/tree/main/skills/cerbug45/agentmesh
AgentMesh is a well-implemented, legitimate Python library providing end-to-end encrypted peer-to-peer messaging between AI agents using industry-standard cryptography (X25519 ECDH, AES-256-GCM, Ed25519 signatures, HKDF). The SKILL.md contains no prompt injection and the install process — a simple git sparse-checkout and file copy — executes no Python code. The primary security concern is architectural rather than malicious: the library's design intentionally makes agent communications opaque to operator monitoring, and its NetworkHub feature could serve as an encrypted covert channel if an agent were separately compromised through prompt injection or another malicious skill.
Category Scores
Findings (7)
MEDIUM Encrypted Channels Intentionally Opaque to Operator Monitoring -20 ▶
AgentMesh's core design goal is to prevent anyone, including the hub operator (system owner), from reading agent message contents. While this is a legitimate privacy feature, it also means that if an agent is used maliciously, its communications via AgentMesh are unreadable to defenders monitoring network traffic. The X25519 forward secrecy further ensures past sessions cannot be decrypted even after key recovery.
MEDIUM NetworkHub Enables Outbound Connections to Arbitrary External TCP Servers -15 ▶
The NetworkHub class accepts a configurable host:port and makes persistent TCP connections to that destination. If an agent is instructed (via legitimate user request or injected instruction from another skill) to connect to an attacker-controlled hub, it can relay encrypted agent payloads through that server. The hub server sees only metadata (sender ID, recipient ID, timestamp); payload content is encrypted end-to-end.
MEDIUM Potential Covert C2 Infrastructure When Chained with Prompt Injection -15 ▶
AgentMesh alone is passive and benign. However, in combination with a separate prompt injection attack or a malicious co-installed skill, an attacker could direct an agent to register with an attacker-controlled NetworkHubServer and receive encrypted task instructions. The combination of legitimate-looking agent communication patterns and strong encryption creates a difficult-to-detect C2 channel.
LOW Canary Credential Files Accessed During Monitoring Window -15 ▶
Filesystem monitoring recorded read access to all six canary credential files (.env, .ssh/id_rsa, .aws/credentials, .npmrc, .docker/config.json, gcloud credentials) at both the start (pre-install, 1771926302) and end (post-install, 1771926319) of the monitoring period. Temporal analysis indicates both access batches occurred when the skill was not installed or executing; accesses are attributed to Oathe monitoring infrastructure. Canary integrity confirmed intact with no modification or exfiltration.
LOW Agent Private Keys Serialized to Disk Without Encryption -10 ▶
The keypair_path feature, when used, writes an agent's full private key material (Ed25519 identity key + X25519 exchange key) to a JSON file using NoEncryption() serialization. This places long-term private cryptographic material in a plaintext file accessible to any process with filesystem access, persisting beyond the agent's runtime.
LOW NetworkHubServer Defaults to Binding on All Interfaces -10 ▶
When the agentmesh-hub entry point or NetworkHubServer is started, it defaults to host='0.0.0.0', exposing the broker service on all network interfaces. This makes any started hub instance reachable by external parties on the network without requiring firewall rules or explicit external exposure configuration.
INFO SKILL.md Is Clean Library Documentation -5 ▶
Comprehensive review of the SKILL.md found no prompt injection patterns, adversarial instructions, hidden content, persona manipulation, or attempts to alter agent behavior. The document is a standard open-source library README covering installation, API reference, examples, and security architecture.