Send and receive files peer-to-peer using the sendme protocol from iroh.computer. Use when the user wants to share files, transfer files between machines, se...
Security Analysis
high confidenceThe skill is an instruction-only helper for the sendme CLI and its requirements and instructions are consistent with that purpose.
Name/description (peer-to-peer file transfer via sendme) match the declared requirement (the sendme binary) and the install hint (brew formula). There are no unrelated credentials, binaries, or config paths requested.
SKILL.md only instructs installing and invoking the sendme CLI and includes a PTY-based pattern for headless environments. It does not request reading unrelated files, other env vars, or transmitting data to unexpected endpoints. It correctly warns the sender must stay online and that relays may be used as a fallback (an expected implementation detail).
Install spec points to a Homebrew formula named 'sendme' which is a reasonable, low-risk install mechanism. The manifest also mentions cargo install as an alternative. As with any third-party binary, users should verify the formula/source/repository and trustworthiness of the package before installing.
No environment variables or credentials are requested. The lack of secrets is proportional to a CLI wrapper/usage guide for a peer-to-peer file transfer tool.
Skill does not request always:true and is not force-included. It makes no persistent changes or requests elevated privileges; autonomous invocation is allowed by default but is normal for skills and not combined with other red flags here.
Guidance
This skill is an instruction-only wrapper for the sendme CLI and appears internally consistent. Before installing or using it: (1) verify the Homebrew 'sendme' formula or the upstream repository to ensure you trust the publisher; (2) be careful what files you share—sendme transfers data directly and a ticket grants access; do not publish tickets publicly; (3) understand sendme may fall back to relay servers (check the relay operator if you need to avoid third-party relays); (4) for headless/automated use, the provided PTY pattern is reasonable but review and run it in a safe environment; and (5) treat installation of any third-party binary like installing software from the internet—check signatures, repository history, and community trust before proceeding.
Latest Release
v0.1.4
- Updated SKILL.md to recommend only the Python PTY wrapper (removed the `script` command alternative) for non-interactive/headless environments. - Clarified the use of `os.execvp()` in the Python example for safer process invocation and security (no shell injection risk). - No changes to feature set or user-facing behavior.
Popular Skills
Published by @muninn-huginn on ClawHub
