by 安全扫描
OpenClaw
可疑
medium confidenceNULL
评估建议
Things to check before installing/using this skill:
- Verify the source: confirm the GitHub repo (unifiedh/autobahn-releases) and its maintainer(s) match the project homepage and team; the registry entry lacks a homepage/description.
- Do not run the installer blindly: the included scripts/install.sh downloads and installs a binary. Verify the release tag, download URL, and preferably check a checksum or signature for the binary before making it executable.
- Version mismatch: ask the publisher ...详细分析 ▾
ℹ 用途与能力
The SKILL.md describes an Autobahn CLI for forming and governing on-chain autonomous entities and the included install script installs an 'autobahn' binary — this is coherent with the stated intent. However the registry entry has no description/homepage, and the included install script's default download version (v0.4.0) does not match the skill registry version (0.0.11), which is unexpected and should be explained.
⚠ 指令范围
The instructions direct agents to generate and store ECDSA private keys and to perform governance actions (propose/vote/execute). They also rely on an API server deployer key for many operations. SKILL.md does not declare where encrypted keys are stored or how they are protected beyond 'do not log keys', and it assumes use of the external 'autobahn' CLI. Creating and managing signing keys and executing on-chain transactions is powerful and risky; the instructions give the agent authority to create keys and use them, which requires explicit operational safeguards that are not specified here.
⚠ 安装机制
The skill includes scripts/install.sh which downloads a prebuilt binary from GitHub releases (https://github.com/unifiedh/autobahn-releases). Downloading an executable from a third-party release is a moderate-to-high risk action unless the binary is signed/verifiable. Additional red flags: the script default VERSION (v0.4.0) differs from the skill package version (0.0.11), and the repository/owner in the install script is not validated in the SKILL.md or registry metadata. There is no declared install spec in the registry (the script exists but isn't wired into an install process), which is an inconsistency.
⚠ 凭证需求
The skill declares no required environment variables, but the instructions mention JWTs, deployer keys, and smart-account key storage and authentication flows (EIP-712 login). Those credentials/keys are high-value secrets. The skill does not declare which environment variables or config paths it will use to store or read these secrets, nor does it require any explicit credentials up front, creating uncertainty about where secrets will be kept and how they'll be protected.
✓ 持久化与权限
The skill does not request 'always: true' and does not declare system-wide config modifications. Autonomous invocation is permitted (the platform default), which increases potential impact if the skill is later given permission to act unattended, so users should control agent autonomy when granting this skill.
安全有层次,运行前请审查代码。
运行时依赖
无特殊依赖
版本
latestv0.0.112026/2/10
NULL
● 可疑
安装命令
点击复制官方npx clawhub@latest install autobahn
镜像加速npx clawhub@latest install autobahn --registry https://cn.longxiaskill.com