by 安全扫描
OpenClaw
可疑
medium confidence技能的声明目的(ERC-8004 身份检查 + Uniswap OTC 清算)与指令和声明工具匹配,但可以在未声明所需凭证或签名权限的情况下通过平台连接器触发链上清算,这引发了风险,使用前需要澄清。
评估建议
["安装前,请询问平台关于列出的 `mcp__uniswap__*` 工具和 `Task(subagent_type:trade-executor)` 的权限,特别是是否可以使用平台或用户钱包签署或广播交易。","在代理流程中,对任何链上交易要求明确的用户确认/同意,并限制默认金额(先在小交易或测试网上测试)。","验证发布者的身份(所有者 ID 和 README 中的 GitHub 参考)——注册元数据中的来源为 '未知'。","确认 ERC-8004 身份检查的实现方式以及是否向第三方发送任何离链数据。如果无法确认交易签名需要明确的钱包提示(而不是隐式平台签名),则将该技能视为高风险,并避免授予其访问真实资金的权限。"]...详细分析 ▾
✓ 用途与能力
Name/description ask for ERC-8004 identity checks, Uniswap pricing, atomic settlement and cross-chain intents; the SKILL.md explicitly references those flows and lists Uniswap-related mcp tools and identity-verifier/trade-executor subagents. The requested capabilities are coherent with the stated purpose.
ℹ 指令范围
The instructions stay on-topic (verify counterparty, fetch pool prices, negotiate terms, submit swap or cross-chain intent). However, they include execution steps (execute_swap, submit_cross_chain_intent) that will perform on-chain actions. The SKILL.md does not declare how transaction signing/authorization is obtained (user wallet prompts, platform wallet, or stored keys). That missing detail matters because the agent could cause fund movement if the environment provides signing capability.
✓ 安装机制
Instruction-only skill with no install spec and no code files — nothing is written to disk by the skill itself. Low install risk.
ℹ 凭证需求
The skill declares no required environment variables or credentials (which is reasonable for an instruction-only skill). But it lists a set of mcp__uniswap__* tools and Task subagents that likely rely on platform-managed wallets or connectors. Because the skill does not document what credentials or wallet access those tools require, it's unclear whether additional secrets/keys are implicitly needed or used.
ℹ 持久化与权限
always:false and user-invocable:true (normal). The agent may invoke this skill autonomously (disable-model-invocation:false), which is platform default; combined with the ability to execute on-chain swaps, that increases the blast radius if connectors have signing authority. There is no explicit instruction in SKILL.md requiring explicit user confirmation before executing settlement transactions — this should be clarified.
安全有层次,运行前请审查代码。
运行时依赖
无特殊依赖
版本
latestv0.1.02026/2/10
agent-otc-trade v0.1.0 - 初始发布。- 启用代理间直接 OTC 代币交易,使用 Uniswap 作为清算层。- 通过 ERC-8004 验证对端代理身份并检查信任等级。- 使用 Uniswap 池定价进行公平透明的 OTC 价格发现。- 支持原子式链上清算,包括使用 ERC-7683 意图的跨链交易。- 自动记录每笔交易的审计日志,捕获对端代理、条款和交易细节。
● 可疑
安装命令
点击复制官方npx clawhub@latest install agent-otc-trade
镜像加速npx clawhub@latest install agent-otc-trade --registry https://cn.longxiaskill.com