📦 Near Getpay — 加密收款页
v1.0.0集成 PingPay 或 HOT PAY,一键生成精美支付页,支持 NEAR、USDC、USDT 等加密资产收款,无需代码即可嵌入网站或分享链接。
0· 621·0 当前·0 累计
by 安全扫描
OpenClaw
可疑
medium confidenceNULL
评估建议
What to consider before installing:
- Secrets: Do NOT paste API keys or private keys directly into chat with an agent. Prefer adding them to the skill's .env file on your machine and keep the file local (gitignored). The SKILL.md example encourages pasting keys into chat — avoid that.
- Required binaries: The runtime spawns 'npx', 'ts-node' and an 'ssh' reverse tunnel (localhost.run). Make sure those binaries are present and that you're comfortable exposing a local port via an external tunnel.
-...详细分析 ▾
ℹ 用途与能力
The code implements a hosted payment page, PingPay client, and an orchestrator for on-chain swaps/bridges; these align with the stated purpose. However the skill also exposes functions that call a separate 'near-intents' module to perform swaps/bridges (index.ts/payment-orchestrator), which is more than a simple static checkout page — this is plausible but broader than the minimal 'payment page' claim.
⚠ 指令范围
SKILL.md instructs the agent to ask users to "share" API keys in chat or add them to .env. Having the agent solicit secrets over chat is risky and not limited in the instructions. The runtime steps create a public tunnel (ssh to localhost.run) and run local code (npx/ts-node) — these are expected for exposing a page but mean a local service will be exposed externally. The skill also dynamically imports a '../near-intents' module and calls executeIntent, giving it the ability to run cross-skill/local code for on-chain actions.
ℹ 安装机制
There is no formal install spec in the registry (instruction-only), but the package includes package.json and expects npm install and npx/ts-node. All dependencies come from npm (common packages). No remote downloads or obscure URLs were found. However required binaries like 'ssh' and 'npx'/'ts-node' are used but not declared in the top-level registry metadata, which is inconsistent.
⚠ 凭证需求
The top-level registry metadata reported 'no required env vars', but skill.json and the code expect RECIPIENT_ADDRESS, PAYMENT_PROVIDER and (in practice) PINGPAY_API_KEY and HOTPAY item IDs; index.ts and usage text also reference NEAR_ACCOUNT_ID and NEAR_PRIVATE_KEY for on-chain payments. Sensitive credentials (PingPay API key, potentially NEAR private key) are required for full functionality; these are proportionate for payment operations but the skill's metadata and SKILL.md are inconsistent about which variables are required and the SKILL.md explicitly encourages pasting keys into chat, increasing exfiltration risk.
✓ 持久化与权限
The skill does not request permanent platform-wide presence (always:false) and does not modify other skills' configurations. It does import a ../near-intents module if available which could invoke other skill logic, but the skill itself does not persist beyond running the local server and tunnel.
安全有层次,运行前请审查代码。
运行时依赖
无特殊依赖
版本
latestv1.0.02026/2/16
NULL
● 可疑
安装命令
点击复制官方npx clawhub@latest install near-getpay
镜像加速npx clawhub@latest install near-getpay --registry https://cn.longxiaskill.com