by 安全扫描
OpenClaw
可疑
medium confidence该技能基本如描述(使用 EVM 钱包进行私人网络获取,付费使用),但存在不一致性、供应链和凭证处理风险,建议在安装前进行审查。
评估建议
此技能似乎是一个仅包含指令的客户端,安装 npm 包并要求提供 EVM 私钥以按请求付费。安装前,请:(1)验证 npm 包 (@x402/* 和 viem)和 GitHub 仓库(用于 MCP 服务器)合法性和审查情况;(2)将私钥保存到具有限制性权限(600)的文件中,而不是长期导出到 shell;(3)使用一个临时钱包,仅充值最小的 USDC/ETH(以限制泄露密钥的影响);(4)注意 wallet-gen 脚本提及 Base Sepolia(测试网),而 README 指 Base 主网 — 确认网络意图在发送资金前;(5)了解 npm install 将从注册表拉取代码到您的主目录(供应链风险)。如果您对这些风险感到不舒适或无法验证包源,请勿安装或为真实主网钱包注资。...详细分析 ▾
ℹ 用途与能力
Name/description, scripts, and CLI all align: the tool pays for web search/scrape/screenshot via an x402 payment SDK using an EVM wallet. However wallet-gen.mjs prints and documents Base Sepolia (testnet) while SKILL.md repeatedly instructs funding on Base mainnet — this mismatch is confusing and could cause users to fund the wrong chain.
✓ 指令范围
Runtime instructions are narrowly scoped to installing the client, generating a wallet, and making paid requests to the declared gateway (https://search.reversesandbox.com). The scripts only read the wallet key (env var or key file) and perform network requests to the gateway; they do not access unrelated system paths or secrets.
⚠ 安装机制
setup.sh runs npm install in the user's ~/.x402-client directory and writes package.json, pulling three packages (@x402/fetch, @x402/evm, viem) from the npm registry. This is a standard but non-trivial supply-chain action: it will fetch and install third-party code into your home directory. The packages are not verified here and the skill includes no pinned source/release URLs.
⚠ 凭证需求
The skill requires an EVM private key to sign payments and instructs users to export X402_PRIVATE_KEY or store a key file. That is necessary for payments but is highly sensitive. The metadata declared no required env vars even though the scripts use X402_PRIVATE_KEY and X402_KEY_FILE. Also wallet-gen prints private keys to stdout (unless saved) which can leak the secret if logs are captured — the mismatch between 'mainnet' vs 'sepolia' in docs increases risk of mis-funding.
✓ 持久化与权限
The skill is not always-on and does not request elevated system-wide privileges. It installs files into ~/.x402-client (its own directory) and does not modify other skills or global agent settings. Autonomous invocation is allowed by default (normal).
安全有层次,运行前请审查代码。
运行时依赖
无特殊依赖
版本
latestv1.0.02026/2/17
Initial release: search, scrape, screenshot via x402 micropayments
● 可疑
安装命令 点击复制
官方npx clawhub@latest install x402-private-web-tools
镜像加速npx clawhub@latest install x402-private-web-tools --registry https://cn.clawhub-mirror.com
技能文档
私人网络工具,用于 AI 代理 — 搜索、爬取和截屏网络,通过 x402 微支付(Base上的 USDC)。零日志、无 API 密钥、无账户。按需付费...
功能
- 搜索
- 爬取
- 截屏网络
使用
- 安装依赖
npm install
- 配置 EVM 私钥
- 运行工具
注意
- 请确保理解并接受安全风险
- 验证所有来源的合法性
数据来源:ClawHub ↗ · 中文优化:龙虾技能库
OpenClaw 技能定制 / 插件定制 / 私有工作流定制
免费技能或插件可能存在安全风险,如需更匹配、更安全的方案,建议联系付费定制