🛡️ Sui Sec — 安全预执行
v1.0.1通过 sui client call --dry-run 与 sui client ptb --dry-run 预演交易,比对用户意图与结果,自动拦截恶意合约,仅在意图一致时放行执行。
2· 1.1k·0 当前·0 累计
by 下载技能包
最后更新
2026/4/22
安全扫描
OpenClaw
可疑
medium confidenceNULL
评估建议
This tool is generally coherent with its stated purpose, but do not install or wire it into an automated signing/execution pipeline without manual safeguards. Specific actions you should take before using it:
- Verify the correct CLI usage: main.py expects three args in this order: '<ptb_command>' <intended_cost> <owner_address>. Fix SKILL.md or adapt your wrapper so the script is invoked correctly.
- Ensure the agent always prompts the human for the owner address and explicit confirmation befor...详细分析 ▾
ℹ 用途与能力
Name/description, required binaries (sui, python3) and the brew install for the sui CLI are coherent with a pre-simulation auditor for Sui transactions. However, some examples in SKILL.md (invocation forms) do not match main.py's expected arguments (main.py requires: '<ptb_command>' <intended_cost> <owner_address>), which is an inconsistency between the declared usage and actual code.
⚠ 指令范围
SKILL.md instructs agents to always dry-run and to only execute real transactions when the audit passes. The Python code does perform a dry-run and exits non-zero on problems, but SKILL.md examples and the example invocation ordering are inconsistent with how main.py parses args. The SKILL.md sometimes suggests automated removal of '--dry-run' and executing the real transaction — that would be an agent-level action outside the script and is potentially dangerous if not gated by explicit, well-documented human confirmation. The audit logic in main.py is simplistic (only basic balanceChanges inspection and a placeholder for objectChanges) and may miss complex attacks; the instructions offer manual fallback checks which are appropriate but the automation claims may give false assurance.
✓ 安装机制
Install uses Homebrew to provide the 'sui' binary (a common distribution method). There are no downloads from untrusted URLs, no extract/install of arbitrary archives, and the included setup.sh only checks for the sui binary. Low install risk.
ℹ 凭证需求
The skill requests no environment variables or secrets and the code does not access them. However, calling the local 'sui' CLI will necessarily interact with the user's local Sui configuration and wallets (local keys), so users should be aware the tool inspects simulated outputs derived from their configured account. The skill does not require unrelated credentials.
✓ 持久化与权限
The skill is not marked always:true and does not modify system or other-skill configuration. main.py does not write persistent data or install services. Agent autonomous invocation is allowed by default (disable-model-invocation is false) but that is the platform default and not by itself a red flag here.
安全有层次,运行前请审查代码。
运行时依赖
无特殊依赖
版本
latestv1.0.12026/2/11
NULL
● 可疑
安装命令
点击复制官方npx clawhub@latest install suisec
镜像加速npx clawhub@latest install suisec --registry https://cn.longxiaskill.com