by 安全扫描
OpenClaw
安全
medium confidenceNULL
评估建议
This guide appears internally consistent, but AGENT_SIGNING_KEY is a powerful secret. Only supply a signing key you control and that is scoped/isolated for reputation proofs (do NOT use a private key that also controls exchange withdrawals or funds). Prefer an ephemeral or dedicated identity key, hardware-backed keys, or keys with limited scope. Before supplying a live key: review the full SKILL.md examples to confirm they only sign and submit proofs to the GreenHelix endpoints you expect, test ...详细分析 ▾
✓ 用途与能力
The name/description are about producing cryptographic PnL proofs and the skill declares a single credential: AGENT_SIGNING_KEY, which is exactly the kind of secret needed to sign proofs. There are no unrelated environment variables, binaries, or install steps declared.
ℹ 指令范围
SKILL.md is an extensive guide with code examples and API integration against GreenHelix sandbox. The provided excerpts show instructions to create identities, sign claims, build Merkle proofs, and submit them to GreenHelix — all consistent with the stated purpose. Because this is instruction-only, the agent following it would need access to the signing key; ensure the guide does not instruct reading unrelated secrets or arbitrary local files (no evidence of that in the excerpt, but the file was truncated).
✓ 安装机制
No install spec and no code files — the skill is instruction-only, so nothing is downloaded or written by the installer. This is low-risk from an install perspective.
ℹ 凭证需求
Only AGENT_SIGNING_KEY is required, which is proportional to a signing/identity-based reputation system. This key is highly sensitive: if provided it can be used to sign claims on behalf of the operator. The skill does not request exchange API keys or other unrelated credentials (which would be concerning).
✓ 持久化与权限
The skill is not always-enabled and does not request elevated persistence. It does allow normal autonomous invocation (platform default), which combined with a signing key could allow the agent to sign data autonomously — a normal capability but something to be aware of.
安全有层次,运行前请审查代码。
运行时依赖
无特殊依赖
版本
latestv1.3.12026/4/12
NULL
● 无害
安装命令
点击复制官方npx clawhub@latest install greenhelix-verified-bot-reputation
镜像加速npx clawhub@latest install greenhelix-verified-bot-reputation --registry https://cn.longxiaskill.com