📦 Hedera Token Minting — Hedera铸币
v1.0.0在Hedera链上快速创建同质化代币与NFT,支持铸造、供应量控制及权限配置,一键完成链上资产发行。
0· 541·0 当前·0 累计
by 下载技能包
最后更新
2026/2/26
安全扫描
OpenClaw
可疑
medium confidenceNULL
评估建议
This skill appears to be a simple recipe for using the Hedera JavaScript/TypeScript SDK to create and manage tokens, which is coherent. However, the SKILL.md omits how to initialize the Hedera client or where private keys (treasuryKey, supplyKey, adminKey) should come from. Before installing or using the skill:
- Never paste real mainnet private keys into a tool or skill you don't fully trust. Prefer testnet keys for trial runs.
- Ask the publisher (or update the skill) to declare explicit envi...详细分析 ▾
ℹ 用途与能力
The skill's name and examples (using @hashgraph/sdk to create/mint/transfer/burn tokens) align with its stated purpose. Requiring the Hashgraph SDK is reasonable for Hedera token operations. However, the examples assume the presence of a Hedera client and private keys (treasuryKey, supplyKey, adminKey) without documenting how those credentials are supplied or secured.
⚠ 指令范围
SKILL.md gives concrete code for token operations and suggests `npm install @hashgraph/sdk`. It does not instruct the agent to read unrelated system files, but it references variables (client, treasuryId, supplyKey, treasuryKey, etc.) that imply access to sensitive credentials. There is no guidance on initializing the client, target network (testnet/mainnet), or secure key handling — leaving broad discretion about where keys come from.
ℹ 安装机制
This is an instruction-only skill with no install spec. The doc tells users to run `npm install @hashgraph/sdk`, which is a standard npm package install (traceable to the npm registry). That is expected for TypeScript examples but does carry the usual npm supply-chain considerations; no suspicious download URLs or archives are present in the skill itself.
⚠ 凭证需求
The runtime examples clearly require private keys and a configured Hedera client, but the skill declares no required environment variables, primary credential, or config paths. This mismatch is meaningful: the skill needs sensitive credentials to function but does not declare or constrain how they're provided, increasing risk of accidental key exposure or ad-hoc prompts for secrets.
✓ 持久化与权限
The skill does not request persistent platform privileges (always is false), nor does it declare any config-path or cross-skill modification. It appears to rely on the agent executing user-supplied code snippets at runtime; no elevated platform presence is requested.
安全有层次,运行前请审查代码。
运行时依赖
无特殊依赖
版本
latestv1.0.02026/2/15
NULL
● 无害
安装命令
点击复制官方npx clawhub@latest install hedera-token-mint
镜像加速npx clawhub@latest install hedera-token-mint --registry https://cn.longxiaskill.com