by 安全扫描
OpenClaw
可疑
medium confidenceNULL
评估建议
This skill implements on-chain registration and reputation and legitimately needs a signing key to submit transactions — but the registry metadata incorrectly lists no required credentials while the scripts and SKILL.md require TRON_PRIVATE_KEY/PRIVATE_KEY or a private-key file (~/.clawdbot/wallets/.deployer_pk) and optionally a PINATA_JWT. Before installing or running: 1) Do not use your mainnet production private key — use a throwaway/test key or hardware wallet; 2) Prefer using temporary or t...详细分析 ▾
⚠ 用途与能力
Name/description (ERC-8004 identity/reputation on TRON+BSC) align with the included JS scripts, ABIs, and contract addresses. However, the skill registry metadata declares no required env vars or credentials while the SKILL.md and scripts clearly require a signing private key (TRON_PRIVATE_KEY or PRIVATE_KEY) or a file at ~/.clawdbot/wallets/.deployer_pk and optionally PINATA_JWT — this mismatch is incoherent.
⚠ 指令范围
SKILL.md and scripts instruct the agent/user to load a private key (env var or file) and run node scripts that will sign and send transactions and may upload metadata to IPFS (Pinata). The runtime instructions therefore access sensitive secrets and a specific home-directory path; the skill also directs interactions with external RPC endpoints (TronGrid, BSC RPC). There are no instructions that read unrelated system files, but the explicit private-key file path and optional PINATA_JWT are outside what the registry metadata declared.
ℹ 安装机制
This is instruction-only from the registry perspective (no install spec), but the package includes code and a package.json that depends on tronweb and ethers. Users must run npm install themselves. No remote binary downloads or obscure URLs are used; dependencies are standard npm libs. This is moderate-risk (running arbitrary JS) but not anomalous for the stated purpose.
⚠ 凭证需求
The skill requires a wallet private key for signing transactions (TRON_PRIVATE_KEY / PRIVATE_KEY) or a local key file and optionally a PINATA_JWT for IPFS pinning. Those credentials are directly relevant to blockchain registration and thus proportionate to the feature — however they are not declared in the registry metadata (required env vars: none, primary credential: none), creating a dangerous gap: users may grant sensitive keys unintentionally. Requesting a plaintext private key or a file under ~/.clawdbot/wallets increases risk if users reuse production keys.
✓ 持久化与权限
The skill does not request always:true and does not modify other skills or system-wide settings. It runs as scripts when invoked. There is no evidence it persists beyond its own files or tries to enable itself automatically.
安全有层次,运行前请审查代码。
运行时依赖
无特殊依赖
版本
latestv1.0.12026/2/16
NULL
● 无害
安装命令
点击复制官方npx clawhub@latest install 8004-skill
镜像加速npx clawhub@latest install 8004-skill --registry https://cn.longxiaskill.com