by 安全扫描
OpenClaw
安全
high confidenceNULL
评估建议
What to check before installing/using: 1) Domain verification: SKILL.md calls the API at https://li.quest/v1 while README references docs.li.fi and apidocs.li.fi — confirm that li.quest is the legitimate LI.FI API host you expect. 2) Never paste or store your wallet private key or seed phrase in the agent; prefer an external/hardware wallet or a signing flow that keeps keys off the agent. 3) Do not allow the agent to sign transactions automatically without an explicit human confirmation step; al...详细分析 ▾
ℹ 用途与能力
Name/description match the runtime instructions: the SKILL.md teaches the agent to call LI.FI endpoints to get quotes, routes, and transactionRequest objects. Declared requirements are minimal (curl). One minor inconsistency: registry lists a primary credential LIFI_API_KEY but 'Required env vars' is empty — SKILL.md states the API key is optional for higher rate limits. Overall the requested capabilities align with the stated purpose.
ℹ 指令范围
Instructions are narrowly scoped to calling LI.FI endpoints (via curl), deriving routes/quotes, and returning transactionRequest objects for signing. They do not instruct reading arbitrary local files or unrelated environment variables. Important operational caution: the skill instructs agents to hand transactionRequest objects to 'the agent's wallet' for signing — the SKILL.md does not prescribe a secure signing flow, so there is risk if an agent asks users to paste private keys or if the agent is allowed to sign autonomously.
✓ 安装机制
This is an instruction-only skill with no install spec and no code files to write to disk; required binary is only curl. That is the lowest-risk install surface.
ℹ 凭证需求
The skill declares LIFI_API_KEY as the primary credential (used optionally via the x-lifi-api-key header) and otherwise requires no environment variables — this is proportionate. Verify that you do not provide wallet private keys or other credentials to the agent; the skill does not declare any wallet-private-key env vars, so such access would be out-of-scope and risky.
✓ 持久化与权限
The skill is not always-installed (always: false) and does not request persistent system privileges or to modify other skills. Autonomous invocation is allowed (platform default) but that alone is not a concern here.
安全有层次,运行前请审查代码。
运行时依赖
无特殊依赖
版本
latestv1.0.22026/2/17
NULL
● 无害
安装命令
点击复制官方npx clawhub@latest install lifi-crosschain
镜像加速npx clawhub@latest install lifi-crosschain --registry https://cn.longxiaskill.com