by 安全扫描
OpenClaw
安全
medium confidenceNULL
评估建议
This skill is coherent with its stated purpose, but signing transactions from any external service requires caution. Before using/installing: 1) Do not paste or transmit your private key to the service or agent — keep signing local. 2) Always decode and inspect the partially-signed transaction (instructions, accounts, lamports transfers, and program IDs) before countersigning. If you can't decode it yourself, ask the agent to present a human-readable breakdown or use a trusted tool (solana-web3,...详细分析 ▾
✓ 用途与能力
Name, description, metadata, and runtime instructions all align: the API endpoints (/challenge, /mint, /execute) and the stated requirement of a Solana wallet and small SOL for fees are consistent with minting a Candy Machine NFT. No unrelated env vars, binaries, or install steps are requested.
⚠ 指令范围
The SKILL.md instructs the backend to produce a partially-signed, base64-encoded VersionedTransaction and asks the user/agent to locally sign and submit it. However, it does not instruct the user or agent to decode and inspect the transaction contents (instructions, target accounts, lamports transfers, signers) before signing. That omission is important: a malicious or compromised backend could include extra instructions (e.g., transfer of funds or approvals) in the transaction. The file also shows a JavaScript snippet that imports @solana/web3.js but provides no guidance for hardware wallets or how to verify transaction intent in a secure wallet UI.
✓ 安装机制
This is an instruction-only skill with no install spec and no code files, which minimizes installation risk. The README suggests downloading SKILL.md via curl to a user path, which is normal for an instruction file but means you are trusting the hosting domain for the skill text.
✓ 凭证需求
The skill requests no environment variables, no credentials, and no config paths. The declared prerequisites (a Solana keypair and ~0.025 SOL) match the described functionality. There are no disproportionate or unrelated secrets requested.
✓ 持久化与权限
The skill is not always: true, is user-invocable, and does not request elevated or persistent agent-wide privileges. It does instruct optionally saving SKILL.md locally, which is expected for instruction-only skills.
安全有层次,运行前请审查代码。
运行时依赖
无特殊依赖
版本
latestv1.0.02026/2/13
NULL
● 无害
安装命令
点击复制官方npx clawhub@latest install claws-nft
镜像加速npx clawhub@latest install claws-nft --registry https://cn.longxiaskill.com