🧬 HumanNFT — NFT人物交易
v1.0.0一站式浏览、铸造、买卖、交换以真人形象为核心的 NFT, marketplace 入口即 humannft.ai。
0· 610·1 当前·1 累计
by 下载技能包
最后更新
2026/4/22
安全扫描
OpenClaw
可疑
medium confidenceNULL
评估建议
This skill appears to implement a real marketplace API, but there are important mismatches you should consider before installing:
- Understand signing: The skill’s runtime requires wallet signatures (wallet.signMessage and wallet.sendTransaction). The skill does NOT declare any wallet/private-key env var. Ask the author how signing is intended to be provided (interactive user signing vs. an agent-held private key). Never paste your private key into a skill unless you explicitly trust it and und...详细分析 ▾
⚠ 用途与能力
The name/description (HumanNFT marketplace: browse, mint, buy, sell) aligns with the API endpoints in SKILL.md and the single declared env var (HUMANNFT_API_KEY). However the SKILL.md repeatedly requires wallet.signMessage and wallet.sendTransaction (i.e., access to a wallet or private key) for on-chain actions while the skill's metadata does not declare any wallet credential or private-key env var. The skill also states agents can act autonomously; without a declared signing credential this is inconsistent (either the agent must prompt a user to sign every tx, or the deployer would need to supply signing material that is not described).
⚠ 指令范围
The instructions instruct the agent to register agents (wallet signature), create transactions via POST → wallet.sendTransaction → confirm via API, and to register webhooks (/api/webhooks). All of these are within marketplace functionality, but: (1) wallet signing requires interactive user signing or access to a private key that the skill never requests; (2) registering webhooks allows exfiltration of events to arbitrary URLs if misused; (3) the guidance to 'always confirm' and to use /sync/reconcile shows the skill expects the agent to perform state-changing operations, which magnifies the impact of any missing controls. The SKILL.md does not instruct reading unrelated system files or env vars, which is good.
ℹ 安装机制
There is no install spec (instruction-only), so nothing is written to disk by the skill itself. The docs recommend an npm helper (npx humannft-mcp) for MCP-enabled platforms — this is optional, but running arbitrary npx packages can pull and execute third-party code and should be reviewed before use.
⚠ 凭证需求
The skill declares a single required env var HUMANNFT_API_KEY, which is reasonable for an API-backed marketplace. However, the runtime flow requires signing transactions (wallet access). The skill does not declare any wallet-related env (e.g., PRIVATE_KEY, WALLET_KEY) or explain how signing will be provided in an autonomous agent context. This mismatch can lead to risky ad-hoc behavior (users or operators might supply private keys outside the declared requirements). Also, the example API key format sk_live_... implies a long-lived secret — treat it as sensitive.
ℹ 持久化与权限
always:false and no install means the skill does not request elevated persistence. The skill can register webhooks via the platform API which creates persistent external callbacks; combined with autonomous invocation (platform default), that could be used to stream events externally if misconfigured. The skill does not attempt to change other skills or system-wide settings.
安全有层次,运行前请审查代码。
运行时依赖
无特殊依赖
版本
latestv1.0.02026/2/14
NULL
● 可疑
安装命令
点击复制官方npx clawhub@latest install humannft
镜像加速npx clawhub@latest install humannft --registry https://cn.longxiaskill.com