📦 x402 Merchant Starter Kit — 加密原生店铺

v1.3.1

15 分钟一键部署生产级 x402 付费墙、MCP 服务器与商品目录，助你快速搭建支持加密货币的在线商店。

0· 105·0 当前·0 累计

by @mirni

开发工具 API工具云服务自动化

下载技能包

最后更新

2026/4/15

安全扫描

VirusTotal

无害

查看报告

OpenClaw

可疑

medium confidence

NULL

评估建议

Treat this as an educational guide but do not hand over secrets blindly. Before providing any env vars: 1) Ask the author why GITHUB_TOKEN and DASHBOARD_SECRET are required for an instruction-only guide that claims the sandbox needs no key. 2) If you must supply a GitHub token, create a new token with the minimum scope (repo:read for a single repository) or use a deploy key limited to a single repo, and revoke it after use. 3) Never provide private wallet keys—only a public address—and avoid usi...

详细分析 ▾

⚠ 用途与能力

The skill is an instruction-only storefront guide. Requiring a GITHUB_TOKEN (declared as the primary credential) and a DASHBOARD_SECRET is unexpected for a read-only guide that claims the GreenHelix sandbox needs no API key. GITHUB_TOKEN is plausible for a deploy workflow that fetches private repo content, but the SKILL.md presents the guide as educational and sandbox-first; making the GitHub token mandatory is disproportionate unless the skill actually automates repo operations.

ℹ 指令范围

SKILL.md is large and describes deployment scripts, GitHub content delivery, an admin dashboard, and a deploy.sh. The guide states it does not execute code, but the presence of deploy instructions that reference GitHub fetching and an admin dashboard suggests the author expects the user to run scripts that will need secrets. The instructions as presented do not appear to ask the agent to read unrelated system files, but the truncated content prevents a full audit of all referenced steps.

✓ 安装机制

No install spec and no code files — instruction-only content — so nothing is written to disk by the skill itself. This is the lowest-risk install pattern.

⚠ 凭证需求

Requires three env variables: GITHUB_TOKEN (primary), WALLET_ADDRESS, and DASHBOARD_SECRET. WALLET_ADDRESS (public address) is low-risk. However, mandating a GitHub PAT and an admin secret for a guide is disproportionate: if the guide is merely instructional (and the sandbox is usable without a key), requiring these secrets appears unnecessary and raises risk of credential exposure. The SKILL.md's justification for these env vars is minimal; DASHBOARD_SECRET in particular is sensitive and should not be handed to a third party without clear need.

✓ 持久化与权限

The skill is not marked always:true and does not request system-level persistence. It is user-invocable and permits autonomous invocation (platform default). There is no evidence it modifies other skills or system-wide settings.

安全有层次，运行前请审查代码。

运行时依赖

无特殊依赖

版本

latestv1.3.12026/4/12

NULL

● 无害

安装命令

点击复制

官方npx clawhub@latest install greenhelix-x402-merchant-starter-kit

镜像加速npx clawhub@latest install greenhelix-x402-merchant-starter-kit --registry https://cn.longxiaskill.com

数据来源：ClawHub ↗ · 中文优化：龙虾技能库