📦 KaspaCom DEX MCP — 技能工具
v0.1.0Use KaspaCom DEX through the KaspaCom DeFi MCP/CLI for pair discovery, token pricing, swaps, and liquidity management on IGRA and Kasplex. Trigger on request...
0· 43·0 当前·0 累计
by 安全扫描
OpenClaw
可疑
medium confidenceThe skill's stated purpose (DEX access) matches the CLI it asks you to install, but the instructions omit any explanation of how signing/credentials are handled and therefore could cause the agent or installed CLI to access or use local wallet credentials unexpectedly.
评估建议
Do not install or run this CLI blindly. Verify the npm package publisher and repository (inspect the package source on npm/GitHub) before installing; prefer installing in a sandbox or container rather than globally; confirm how the CLI obtains private keys or RPC endpoints (explicit env vars, hardware wallet, or WalletConnect are preferable over automatic local key access). If you plan to allow transactions, use a dedicated wallet with minimal funds and explicit, documented key handling. Require...详细分析 ▾
ℹ 用途与能力
Name and description align with installing and using a Kaspa DEX CLI (@kaspacom/defi-mcp) for pair discovery, pricing, swaps and liquidity management — requiring a CLI package is reasonable for this purpose. However, the SKILL.md does not declare or document any credential, RPC, or wallet requirements that are necessary for transaction commands, which is an omission.
⚠ 指令范围
SKILL.md tells the agent to globally install an npm CLI and shows both read-only and transaction examples (swap, add/remove liquidity). The runtime instructions do not describe how to provide signing keys, which files/paths the CLI will access, whether it will prompt for passwords, or whether it will contact external endpoints beyond Kaspa L2s. Transaction examples imply the skill will cause on-chain changes, but there is no guardrail or explicit credential handling described.
ℹ 安装机制
Installation is via 'npm i -g @kaspacom/defi-mcp' (public npm). Using npm is expected for a JS CLI but carries moderate risk: the package publisher and repository are not provided, and a global install can affect system PATH. No direct downloads or arbitrary URLs are recommended, which lowers the install risk compared to arbitrary archives, but you should validate the package source before installing.
⚠ 凭证需求
The skill declares no required environment variables or credentials, yet it includes transaction operations that must be signed. This mismatch is concerning: the CLI will likely require a private key, wallet file, or RPC credentials, but the skill gives no instructions on where these are stored or how to restrict them. That could lead to the CLI/agent accessing local wallet files or environment secrets unexpectedly.
ℹ 持久化与权限
The skill is not forced-always and is user-invocable, which is appropriate. Autonomous model invocation is allowed by default; combined with transaction-capable commands and the missing credential guidance, this increases the risk that the agent could perform transactions if it obtains signing ability. It does not request persistent system-wide configuration explicitly.
安全有层次,运行前请审查代码。
运行时依赖
无特殊依赖
版本
latestv0.1.02026/4/13
Initial publish
● 无害
安装命令
点击复制官方npx clawhub@latest install kaspacom-dex-mcp
镜像加速npx clawhub@latest install kaspacom-dex-mcp --registry https://cn.longxiaskill.com
技能文档
Focused skill for KaspaCom DEX via MCP/CLI.
Install
npm i -g @kaspacom/defi-mcp
Read-only examples
kaspacom-defi getPairs --network igra
kaspacom-defi getTokenPrice --token WKAS --quoteToken USDC --network kasplex
Transaction examples
kaspacom-defi swap --tokenIn USDC --tokenOut WKAS --amountIn 100 --network igra
kaspacom-defi addLiquidity --tokenA WKAS --tokenB USDC --amountA 100 --amountB 42 --network igra
kaspacom-defi removeLiquidity --tokenA WKAS --tokenB USDC --lpAmount 10 --network igra
Best for
- Pair lookup
- Price checks
- Swaps
- LP management
- Agent-driven DEX access on Kaspa L2s