📦 KaspaCom DeFi MCP — 技能工具
v0.1.0Use KaspaCom DeFi MCP or CLI to query and transact across KaspaCom DEX, Lending, and LFG Launchpad on IGRA and Kasplex mainnet/testnet. Trigger when the user...
0· 43·0 当前·0 累计
by 安全扫描
OpenClaw
可疑
medium confidenceThe skill's instructions ask you to install and run an npm package and to supply a wallet private key via MCP_WALLET_KEY, but the registry metadata declares no required env vars or source/homepage — this mismatch plus an unknown package origin means extra caution is warranted.
评估建议
This skill appears functionally consistent with a KaspaCom DeFi CLI/MCP but has two red flags: the runtime tells you to install and run an npm package (which will execute code on your machine) and to supply MCP_WALLET_KEY, yet the registry lists no source/homepage and no required env vars. Before installing: 1) Ask the publisher for the package source (npm page and GitHub repo) and verify checksums and release authenticity. 2) Inspect the package code (or have it reviewed) before running, especi...详细分析 ▾
ℹ 用途与能力
The SKILL.md behavior (querying and transacting on KaspaCom, performing swaps/lending/launchpad actions) matches the name/description — those actions legitimately require network access and a wallet key for writes. However the skill metadata declares no required env vars/credentials while the runtime instructions explicitly reference MCP_WALLET_KEY, an inconsistency that should be resolved.
✓ 指令范围
The instructions stay within the DeFi/CLI domain: they show an npm install, how to start a local MCP server, how to pass MCP_WALLET_KEY for write actions, and recommend testnets. The instructions do not request unrelated files or other system secrets. They do, however, instruct executing code from a package you cannot verify from the registry data.
⚠ 安装机制
The SKILL.md tells users to run `npm i -g @kaspacom/defi-mcp` and `node dist/mcp/index.js`. Installing and executing a global npm package is moderate risk—acceptable for this use-case if the package origin is trustworthy. Here there is no homepage/source provided in the registry metadata, so the package origin and contents cannot be audited from the registry data, increasing risk.
⚠ 凭证需求
Write actions require a wallet private key (MCP_WALLET_KEY) per the instructions. The registry metadata, however, lists no required environment variables or primary credential. Requiring a private key is reasonable for transaction capability, but the omission in metadata is a meaningful mismatch and the practice of putting a private key in an env var should be considered sensitive and handled with caution.
ℹ 持久化与权限
The skill is user-invocable, not always-enabled, and does not request elevated platform privileges. Installing a global npm package modifies the system (binaries on PATH) which is normal for a CLI but is a persistence footprint the user should accept explicitly. There's no indication the skill attempts to modify other skills or system-wide agent configs.
安全有层次,运行前请审查代码。
运行时依赖
无特殊依赖
版本
latestv0.1.02026/4/13
Initial publish
● 无害
安装命令
点击复制官方npx clawhub@latest install kaspacom-defi-mcp
镜像加速npx clawhub@latest install kaspacom-defi-mcp --registry https://cn.longxiaskill.com
技能文档
KaspaCom DeFi MCP exposes KaspaCom DeFi through a single MCP server and CLI.
Supports
- DEX: pairs, prices, swaps, add/remove liquidity
- Lending: markets, positions, supply, borrow, repay
- LFG Launchpad: active launches, buy/sell launch tokens
- Networks:
igra,igra-testnet,kasplex,kasplex-testnet
Install
npm i -g @kaspacom/defi-mcp
Start MCP server
MCP_NETWORK=igra node dist/mcp/index.js
With wallet:
MCP_WALLET_KEY="0x..." MCP_NETWORK=igra node dist/mcp/index.js
CLI
kaspacom-defi --help
Good use cases
- "Show me all KaspaCom DEX pairs on Kasplex"
- "Get my lending health factor on IGRA"
- "List active LFG launches"
- "Buy a launch token with 100 KAS"
- "Get protocol info across networks"
Notes
- Read-only tools work without a wallet.
- Write actions require
MCP_WALLET_KEY. - Use
igra-testnetorkasplex-testnetfor safe testing first.