by 安全扫描
OpenClaw
安全
high confidenceThe skill's requirements and runtime instructions match its stated purpose (a payment MCP client) — it legitimately needs a local private key and the drain-mcp binary — but the private key is sensitive and you should follow the precautions in guidance below.
评估建议
This skill is coherent with its stated purpose, but it requires a private Polygon wallet key — treat that key like cash. Before installing or using: 1) Use a dedicated, low-value wallet (the SKILL.md recommends $1–$5 USDC); never reuse your main wallet or store large balances. 2) Verify the drain-mcp npm package and its GitHub repo (check publisher, recent commits, issues, and package integrity/signatures). 3) Prefer installing in an isolated environment (container or VM) and avoid global instal...详细分析 ▾
✓ 用途与能力
The skill claims to be an MCP client for the DRAIN payment protocol and the declared requirements (drain-mcp binary and a DRAIN_PRIVATE_KEY) are consistent with that purpose. Node.js >=18 and internet access are reasonable given the npm package and on-chain interactions.
ℹ 指令范围
SKILL.md instructs the agent to generate a local wallet, fund it, call handshake58.com endpoints (e.g., gas-station) and to add the private key into an MCP client config. These steps are aligned with a payment client, but they do instruct sending your public address to external endpoints and storing a private key in local config files, which are sensitive operations and worth caution.
ℹ 安装机制
There is no install spec in the registry bundle, but the README instructs installing drain-mcp via npm (npm install -g drain-mcp). Installing a maintained npm package is expected for this client, but global npm installs carry the usual supply-chain risk and you should verify the package source and version before installing.
ℹ 凭证需求
Only DRAIN_PRIVATE_KEY is declared as required (plus optional RPC/DIRECTORY/CHAIN variables). That is proportionate to a payment client, but a private key is highly sensitive: it grants on-chain control of funds. The SKILL.md recommends using a dedicated low-value wallet, which is appropriate guidance.
✓ 持久化与权限
The skill does not request always:true, does not attempt to modify other skills or system-wide settings per SKILL.md, and autoInvoke is false. It therefore does not demand persistent elevated privilege beyond the normal ability to run the drain-mcp client.
安全有层次,运行前请审查代码。
运行时依赖
无特殊依赖
版本
latestv4.0.22026/2/24
- Updated wallet setup instructions to emphasize local (on-device) generation and key safety. - Invite code flow revised: now instructs to redeem codes with a locally-generated wallet address; direct address-based invites deprecated. - Environment variable table and MCP client setup details clarified for local/private key security. - Minor copy updates throughout documentation for improved clarity and accuracy.
● 可疑
安装命令
点击复制官方npx clawhub@latest install hs58
镜像加速npx clawhub@latest install hs58 --registry https://cn.longxiaskill.com