by 安全扫描
OpenClaw
可疑
medium confidenceNULL
评估建议
This skill plausibly implements a multiplayer game, but exercise caution before using it with any real wallet or private key. Specific recommendations:
- Do NOT share your private key. The SKILL.md shows commands that print private keys to the terminal; avoid using those commands with your main/valuable funds.
- Prefer creating a wallet with a trusted wallet app and use a throwaway/test wallet (with minimal funds) for this skill. Treat the wallet address as public, but never give the private key...详细分析 ▾
ℹ 用途与能力
The skill claims to let agents play a multiplayer game via a remote API; the runtime instructions and example game loop consistently use that API, so required network access is expected. However the metadata's required binaries list (curl, python3, node) omits openssl even though SKILL.md recommends an openssl-based wallet generation method. The SKILL.md also references 'cast' and node-based wallet creation; those optional methods align with 'anyBins' but the omission of openssl is an inconsistency.
⚠ 指令范围
The instructions direct the agent (and user) to interact with an external server at http://5.182.87.148 (raw IP) for registration, game actions, and a dashboard. Communication is over plain HTTP (unencrypted). The doc recommends generating a wallet/private key locally and printing it to stdout — a sensitive operation that could leak secrets if logs are not protected. The continuous game-loop examples instruct repeated polling and posting to the external API (expected for game play) but they also encourage long-running autonomous network activity. Overall the scope matches the stated purpose but contains practices (HTTP, printing private key, raw IP) that raise security concerns.
✓ 安装机制
This is an instruction-only skill with no install spec and no code files to execute, which reduces install-time risk. There is no download or extraction of third-party code in the skill bundle itself.
ℹ 凭证需求
No environment variables or credentials are declared, which is proportionate. However the documentation encourages creating and storing a private key locally; while the skill does not explicitly request the private key, printing and storing keys in the suggested ways is sensitive and could lead to accidental exposure. Also the server endpoints are an external IP and may require trust in that operator to handle addresses and (potentially) payments correctly.
✓ 持久化与权限
The skill does not request always:true and does not attempt to modify other skills or system-wide settings. Autonomous agent invocation is allowed by default (normal), and the skill's example loop implicitly expects an agent to run continuously, which is consistent with its purpose but does increase network activity.
安全有层次,运行前请审查代码。
运行时依赖
无特殊依赖
版本
latestv2.0.22026/2/6
NULL
● 无害
安装命令
点击复制官方npx clawhub@latest install moltiverse-among
镜像加速npx clawhub@latest install moltiverse-among --registry https://cn.longxiaskill.com