by 安全扫描
OpenClaw
安全
high confidenceThe skill's code, docs, and runtime instructions align with its stated purpose (searching and inspecting Substreams packages); no unexplained credential requests or obscure install steps were found, but it will fetch arbitrary URLs you pass it (SSRF risk) and perform broad scraping of substreams.dev which you should consider before running in a sensitive environment.
评估建议
This skill appears to do what it claims: it scrapes substreams.dev and fetches .spkg files to inspect module graphs and generate sink commands. Before installing/running it:
- Treat it as code that will make outbound HTTP requests to substreams.dev and to any URL you pass in (inspect_package accepts arbitrary URLs). Do not pass internal-only or sensitive endpoints unless you isolate the process or run it in a safe network environment (SSRF risk).
- Running via npx will pull the package from npm ...详细分析 ▾
✓ 用途与能力
Name, description, SKILL.md, README, and code all consistently implement searching the substreams.dev registry, parsing package cards, fetching .spkg files, inspecting module graphs, and generating sink deployment commands. The declared dependencies (HTML parser, @substreams/core, MCP SDK) and scripts in package.json match the described capabilities.
⚠ 指令范围
The tools accept arbitrary URLs for .spkg files and the server will fetch them and parse their contents. That behavior is necessary for inspection, but it means a user/agent could request the server fetch internal or otherwise sensitive endpoints (SSRF). The server also paginates and scrapes substreams.dev (up to MAX_PAGES=50) which results in many outbound requests — expected for its purpose but potentially abusive in some contexts.
ℹ 安装机制
The skill is instruction-only in the registry (no enforced install spec) but the bundle contains a standard Node package (package.json, package-lock.json, ts sources) and a Python MCP helper. The README instructs running via `npx substreams-search-mcp`, which is a normal distribution method. No remote, untrusted download URLs or extract steps were used in the provided files.
✓ 凭证需求
No environment variables, credentials, or config paths are required or requested. The code does perform network I/O (scraping the registry and fetching user-provided .spkg URLs), which is proportional to the skill's function but worth noting because it can access arbitrary network targets if given arbitrary URLs.
✓ 持久化与权限
always is false and there are no signs the skill attempts to alter other skills or system-wide agent config. It runs as an MCP server (stdio / SSE) when launched — normal behaviour for MCP servers and not privileged by itself.
⚠ src/index.ts:580
Environment variable access combined with network send.
安全有层次,运行前请审查代码。
运行时依赖
无特殊依赖
版本
latestv1.3.02026/3/13
- Added detailed documentation in SKILL.md, outlining key features, tools, install steps, and practical use cases. - Highlights new and existing tools: search_substreams, inspect_package, list_package_modules, and get_sink_config. - Improved clarity for searching packages, inspecting module graphs, analyzing sink configs, and deploying Substreams across multiple blockchains. - Expanded use case descriptions to illustrate how the skill aids discovery, inspection, and deployment.
● 无害
安装命令 点击复制
官方npx clawhub@latest install substreams-search
镜像加速npx clawhub@latest install substreams-search --registry https://cn.clawhub-mirror.com
技能文档
Search, inspect, and analyze Substreams packages from the substreams.dev registry — from discovery to sink deployment.
Tools
- search_substreams — Search the substreams.dev package registry by keyword, sort order, and blockchain network
- inspect_package — Inspect a .spkg file to see its module graph (DAG), protobuf output types, dependencies, and a Mermaid diagram
- list_package_modules — Lightweight module listing with types and inputs/outputs
- get_sink_config — Analyze sink configuration, extract SQL schemas, and generate ready-to-run CLI commands
Install
npx substreams-search-mcp
Use Cases
- Find Substreams packages for any blockchain (Ethereum, Solana, Arbitrum, Base, etc.)
- Inspect module graphs and understand data flow before deploying
- Get sink setup commands for PostgreSQL, ClickHouse, or subgraph entity sinks
- Discover sink-compatible modules in packages without embedded sink configs
数据来源:ClawHub ↗ · 中文优化:龙虾技能库
OpenClaw 技能定制 / 插件定制 / 私有工作流定制
免费技能或插件可能存在安全风险,如需更匹配、更安全的方案,建议联系付费定制