📦 POIDH Bounty Bot — 链上悬赏管理
v1.0.3在 Arbitrum、Base 或 Degen Chain 上发布悬赏任务,并自动评估、接收“POIDH”获胜提交,无需人工干预即可完成链上赏金闭环。
1· 519·0 当前·0 累计
by 下载技能包
最后更新
2026/4/22
安全扫描
OpenClaw
可疑
medium confidenceNULL
评估建议
This skill will need your wallet private key and an RPC URL to operate — both are highly sensitive. Before installing or using it: (1) Confirm with the publisher why the registry metadata omitted the PRIVATE_KEY / RPC_URL / binaries listed in SKILL.md. (2) Prefer safer signing: use a dedicated ephemeral EOA with minimal funds, a remote signer, or hardware wallet rather than pasting your main private key. (3) If you must provide a key, avoid passing it on the command line (the examples do); that ...详细分析 ▾
⚠ 用途与能力
The SKILL.md clearly requires a PRIVATE_KEY, RPC_URL, and POIDH_CHAIN and lists required binaries (cast, python3) to sign and send transactions and to fetch/evaluate claims. Those requirements are coherent with the stated purpose (creating and accepting Poidh bounties). However, the registry metadata reported earlier (no required env vars / no required binaries) contradicts SKILL.md. That mismatch is notable: either the registry metadata is incomplete or the instructions are out-of-date.
⚠ 指令范围
Runtime instructions direct the agent to use the user's EOA PRIVATE_KEY to sign transactions (cast send --private-key), query the chain, fetch claim URIs (which can be arbitrary external URLs/IPFS/tweets/pages), and evaluate content via vision. Fetching and evaluating arbitrary external content is expected for this task but expands the attack surface (malicious payloads, tracking URLs). Using the raw private key on the agent and passing it as a CLI argument increases exposure (process lists, logs).
ℹ 安装机制
This is an instruction-only skill with no install spec or code files, which minimizes file-system risk. SKILL.md does declare required binaries (cast, python3) but the registry claimed none — the inconsistency should be resolved. No downloads or external installers are present.
⚠ 凭证需求
Requesting a full PRIVATE_KEY and RPC_URL is functionally necessary to post/accept on-chain bounties, but it is a high-privilege secret. The skill does not propose safer alternatives (e.g., signing via a hardware wallet, remote signer, or delegated service). Passing the private key on the command line (as shown) can leak it via process listings or logs. The declared registry metadata failing to list these env vars is an additional red flag.
✓ 持久化与权限
The skill is not marked always:true and has no install spec that writes persistent binaries or modifies other skills. Autonomous invocation is allowed (default) but is not, by itself, a new concern; combine that with the private key requirement and fetching external content for higher risk.
安全有层次,运行前请审查代码。
运行时依赖
无特殊依赖
版本
latestv1.0.32026/2/23
NULL
● 可疑
安装命令
点击复制官方npx clawhub@latest install poidh
镜像加速npx clawhub@latest install poidh --registry https://cn.longxiaskill.com