📦 Underground MCP Skill — 地下文化区工具箱
v4.5.0集成16款工具(含13款免费开发者实用程序:UUID、JSON、Base64、哈希、JWT、正则、cron等)及浏览器功能,为The Underground Cultural District提供一站式MCP服务。
0· 146·0 当前·0 累计
by 下载技能包
最后更新
2026/4/21
安全扫描
OpenClaw
可疑
medium confidenceNULL
评估建议
This package largely does what it says (utilities + a marketplace), but pay attention to these risks before installing or using it: 1) agent-mesh relays and agent-identity imply your agent messages and stored identity may travel through or be stored on external servers — ask the author where data is routed and whether messages are encrypted or retained; 2) the buy/verify flows contact remote APIs (substratesymposium.com / underground.substratesymposium.com) — do not submit private keys, secrets,...详细分析 ▾
ℹ 用途与能力
Name/description align with the listed developer utilities and marketplace tools. However, agent-facing services (agent-mesh, agent-identity, verify-receipt/buy flows) inherently require network relays and persistent storage; the skill declares no required credentials or storage paths and the SKILL.md does not explain where messages/identities/payments are processed or stored. That omission is worth questioning even though the declared functionality itself is plausible.
⚠ 指令范围
SKILL.md and README describe browsing, searching, buying, and agent services but do not document privacy/retention or the endpoints used for relay/storage. The included code fetches a remote catalog (substratesymposium.com) and implements buy/verify flows; the agent-mesh feature implies routing arbitrary agent messages (potentially sensitive) through external infrastructure. The instructions do not warn users about transmitting secrets (JWTs, private keys, private messages) to the service.
ℹ 安装机制
No formal install spec in the skill manifest, but README/SKILL.md recommend npx @underground-cultural-district/mcp-server and package.json/bin indicate an npm package. Installing via npx/npm will execute code from the npm registry (moderate risk). The package uses standard npm dependencies (no direct-download URLs or obscure hosts), which is expected for a Node MCP server.
ℹ 凭证需求
The skill requests no environment variables or credentials, which superficially reduces immediate credential risk. However, some features (payments, verify-receipt, agent identity, messaging) normally require either API keys or explicit documentation of how/where data is verified or stored; their absence is an unexplained gap rather than clear evidence of safety.
ℹ 持久化与权限
The skill does not request always:true, does not declare config paths, and is user-invocable only. Despite that, it advertises 'persistent identity storage across sessions' and 'agent-mesh cross-machine relay' without describing whether persistence is local, in-memory, or on a remote server — this ambiguity affects privacy and persistence expectations and should be clarified.
安全有层次,运行前请审查代码。
运行时依赖
无特殊依赖
版本
latestv4.5.02026/3/25
NULL
● 无害
安装命令
点击复制官方npx clawhub@latest install underground-cultural-district
镜像加速npx clawhub@latest install underground-cultural-district --registry https://cn.longxiaskill.com