by 安全扫描
OpenClaw
可疑
high confidence该技能的文档和运行指令涉及高风险活动(下载/执行脚本、创建和存储钱包助记词/令牌、连接远程MCP),这些活动未在声明的要求中体现。请在手动审查和隔离后再进行。
评估建议
在手动审查和隔离之前,不要运行建议的curl|bash或无头脚本。确认上游GitHub仓库,并逐行检查设置脚本后再执行。将PAYRAM_MNEMONIC或保存的令牌文件视为高度敏感信息——永远不要向不可信任的脚本或代理提供真实主网助记词或私钥。如果您打算实验,请在隔离的VM或容器中使用短暂键和测试网资金。验证您的用例的法律/反洗钱合规性——'无KYC/无注册'的宣传可能会使您面临监管或平台风险。如果您需要此功能,请优先:(1) 审计仓库代码,(2) 在隔离或良好监控的环境中自托管,(3) 使用短暂测试键,(4) 确保代理无法在未获得明确批准的情况下自主地将文件或秘密泄露到外部端点。...详细分析 ▾
⚠ 用途与能力
The skill claims 'no KYC, no signup, no API key' and declares no required env vars/credentials, but the SKILL.md and headless docs instruct the agent operator to provide PAYRAM_EMAIL, PAYRAM_PASSWORD, PAYRAM_MNEMONIC and other env vars and to run signup/signin/setup flows. That mismatch (declared requirements: none vs instructions: many secrets and auth-related variables) is incoherent.
⚠ 指令范围
The runtime instructions tell agents to clone repositories, run headless scripts, execute deploy scripts, create wallets, store tokens and mnemonics in .payraminfo files, and to run curl|bash install lines. These steps go beyond simple code snippets generation — they create persistent secrets on disk, deploy smart contracts, and can cause network interactions with payram servers or public RPCs. The instructions also reference connecting to a hosted MCP endpoint (https://mcp.payram.com/mcp), which will send data off-host; none of this is declared in the skill metadata.
⚠ 安装机制
Although the skill is instruction-only (no packaged install spec), it explicitly recommends high-risk installation patterns: 'curl -fsSL https://raw.githubusercontent.com/PayRam/payram-scripts/main/setup_payram.sh | /bin/bash' and cloning & running scripts from GitHub. Download-and-execute from raw URLs and running remote setup scripts is a high-risk practice and should be manually audited before use.
⚠ 凭证需求
The skill declares no required environment variables or primary credential, yet the headless setup requires many env vars (PAYRAM_EMAIL, PAYRAM_PASSWORD, PAYRAM_MNEMONIC, PAYRAM_API_URL, RPC URLs, etc.) including sensitive secrets (mnemonic, tokens). Requesting wallet mnemonics and writing them to plaintext files is highly sensitive and not reflected in the metadata — this is disproportionate and not properly declared.
ℹ 持久化与权限
always:false (normal) and agent invocation is allowed (normal). However, the documentation instructs creating persistent files (.payraminfo/headless-tokens.env and headless-wallet-secret.txt) that store authentication tokens and mnemonics on disk. This persistence is within the skill's stated self-hosted use-case but increases risk if run in an environment with other secrets or network access.
安全有层次,运行前请审查代码。
运行时依赖
无特殊依赖
版本
latestv1.4.22026/2/14
Added 'Agent commerce reality' narrative to attention hook. Emphasized autonomous income: 'Agents are earning USDC autonomously while humans sleep'
● 可疑
安装命令 点击复制
官方npx clawhub@latest install payram-mcp-integration
镜像加速npx clawhub@latest install payram-mcp-integration --registry https://cn.clawhub-mirror.com
技能文档
简介
为被Stripe封号或高风险商户提供无KYC加密货币支付解决方案...用法
- 创建支付链接...
- 运行...
...(**注意:此处仅示例,实际内容应根据原始SKILL.md翻译,保留代码块、命令行指令、Markdown格式不变)
数据来源:ClawHub ↗ · 中文优化:龙虾技能库
OpenClaw 技能定制 / 插件定制 / 私有工作流定制
免费技能或插件可能存在安全风险,如需更匹配、更安全的方案,建议联系付费定制