📦 Aomi Transact - EVM交易构建器
v0.5.0Transact - EVM Transaction Builder 当用户想与 Aomi CLI 交互,检查会话、余额或价格,构建钱包请求,确认报价或路径,签名交易……时使用。
0· 17·0 当前·0 累计
by 下载技能包
最后更新
2026/4/20
安全扫描
OpenClaw
可疑
high confidenceThe SKILL.md describes an EVM transaction CLI that legitimately needs private keys and provider API keys, but the registry metadata lists no required binaries or environment variables and there is no install spec — this mismatch plus instructions to ingest secrets into sessions and that conversation/history live on the backend are concerning and warrant caution.
评估建议
Do not install or use this skill until you confirm a few things: (1) the publisher provides a proper install spec and official release/source for the `@aomi-labs/client` CLI; (2) where `aomi secret add` stores secrets (local only vs sent to Aomi backend) and whether conversation history or secrets are transmitted or retained remotely; (3) whether you accept sending private keys/API keys to that backend — prefer ephemeral/local signing if possible. If you proceed, test read-only commands first, a...详细分析 ▾
ℹ 用途与能力
The skill's stated purpose (building/signing EVM transactions via the Aomi CLI) matches the SKILL.md instructions: chat, tx build/sign, secret ingestion, session controls. However, the registry metadata declares no required binaries, env vars, or credentials while the SKILL.md explicitly requires the `aomi` CLI (via @aomi-labs/client) and viem and references many env vars — an inconsistency that should be resolved by the publisher.
⚠ 指令范围
The instructions direct the agent to ingest and handle highly sensitive secrets (PRIVATE_KEY, AOMI_API_KEY, ALCHEMY_API_KEY, PIMLICO_API_KEY, private RPC URLs) via `aomi secret add` and rely on environment variables. They also explicitly state conversation history lives on the backend. While these steps are relevant to signing transactions, they expand scope to handling and transmitting secrets to a backend service and require explicit user consent and trust; the skill does not make storage/telemetry boundaries explicit in metadata.
⚠ 安装机制
The skill is instruction-only (no install spec), yet the SKILL.md requires installing @aomi-labs/client (npm -g) and viem and expects a `aomi` CLI binary. There is no explicit, vetted install mechanism or provenance in the registry entry, increasing risk because users may follow ad-hoc install instructions that fetch code without review.
⚠ 凭证需求
The SKILL.md references multiple sensitive environment variables and session secrets which are proportionate to a wallet-signing CLI but the registry declares zero required env/credentials. Additionally, secrets ingested into sessions may be stored or processed by the Aomi backend (conversation history on backend is stated), so the effective blast radius includes any remote service the CLI communicates with — users must understand where secrets are stored and transmitted before use.
ℹ 持久化与权限
The skill is not always-enabled and does not request persistent system-wide privileges, which is good. However, model invocation is allowed (default), so an agent could autonomously call the CLI and perform secret-related actions; combined with the secret-ingestion behavior, this increases risk if the agent is allowed to act without explicit, per-action confirmation.
安全有层次,运行前请审查代码。
运行时依赖
无特殊依赖
版本
latestv0.5.02026/4/20
Execute EVM transactions through conversational AI via aomi CLI
● 无害
安装命令
点击复制官方npx clawhub@latest install aomi-transact
镜像加速npx clawhub@latest install aomi-transact --registry https://cn.longxiaskill.com