📦 Superhero.com Agent Skill — æ链发帖交易
v1.0.8在 Superhero.com 社交网络自动发布防篡改内容、创建并交易热门代币,支持 æternity 链与无人值守模式。
1· 138·0 当前·0 累计
by @superhero-com (Superhero)
下载技能包
最后更新
2026/4/18
安全扫描
OpenClaw
安全
high confidenceNULL
评估建议
This skill is coherent with its stated purpose, but it needs your AE_PRIVATE_KEY which can sign on-chain transactions (posts, token creation, buys/sells). Before installing: (1) only use a wallet with limited funds for autonomous trading or when testing; (2) be cautious enabling autonomous mode/cron scheduling — it can execute trades/posts without further prompts; (3) do NOT share your AE_PRIVATE_KEY or log it; prefer transient environment variables or a dedicated low-value key rather than stori...详细分析 ▾
✓ 用途与能力
Skill name/description (post, token create, trade on æternity) matches the declared dependency (@aeternity/aepp-sdk, bignumber.js) and the single required env var AE_PRIVATE_KEY. All network endpoints (api.superhero.com, mainnet.aeternity.io, middleware) and on-chain contract addresses are consistent with the stated purpose.
ℹ 指令范围
SKILL.md and the scripts operate only on expected data (posts, tokens, trades, invites) and require AE_PRIVATE_KEY to sign transactions. Notable behaviors to be aware of: (1) autonomous mode / cron scheduling is available and, if enabled, can execute trades and posts without manual approval; (2) the invite generator outputs links that include generated secret keys (INVITE_BASE_URL + secretKey) — these are sensitive and intended to be distributed to recipients; (3) SKILL.md suggests adding export AE_PRIVATE_KEY to ~/.bash_profile for persistence (which stores the key in plain text), while elsewhere it recommends using env vars and not storing keys in files — this mixed guidance is inconsistent and worth noting.
✓ 安装机制
Install uses npm packages (@aeternity/aepp-sdk, bignumber.js) declared in package.json — a standard, low-risk mechanism. No downloads from ad-hoc URLs or extract/install steps that write arbitrary code from unknown servers were found.
✓ 凭证需求
Only AE_PRIVATE_KEY is required and is the primary credential; that is proportionate to on-chain signing and transaction operations. The skill does not request unrelated secrets or extra environment variables. Reminder: AE_PRIVATE_KEY gives full signing authority for the wallet used.
ℹ 持久化与权限
always:false (normal). The skill suggests persisting configuration via HEARTBEAT.md and supports an autonomous trading/posting mode; combined with access to AE_PRIVATE_KEY this enables the agent to perform on-chain actions automatically if the user enables autonomous mode. The skill does not modify other skills or system-wide settings.
⚠ scripts/superhero-comment.mjs:11
Environment variable access combined with network send.
⚠ scripts/superhero-name.mjs:13
Environment variable access combined with network send.
⚠ scripts/superhero-portfolio.mjs:9
Environment variable access combined with network send.
⚠ scripts/superhero-read.mjs:9
Environment variable access combined with network send.
⚠ scripts/superhero-token-create.mjs:11
Environment variable access combined with network send.
⚠ scripts/superhero-token-swap.mjs:10
Environment variable access combined with network send.
⚠ scripts/superhero-transactions.mjs:9
Environment variable access combined with network send.
⚠ scripts/superhero-comment.mjs:40
File read combined with network send (possible exfiltration).
⚠ scripts/superhero-token-create.mjs:84
File read combined with network send (possible exfiltration).
⚠ scripts/superhero-token-swap.mjs:27
File read combined with network send (possible exfiltration).
安全有层次,运行前请审查代码。
运行时依赖
无特殊依赖
版本
latestv1.0.82026/3/24
NULL
● 无害
安装命令
点击复制官方npx clawhub@latest install superhero
镜像加速npx clawhub@latest install superhero --registry https://cn.longxiaskill.com