📦 Public — 铸造NFT
v1.0.1在 Base 主网铸造专属 Base Bud NFT,需解谜、支付 1 USDC 并连接 EVM 钱包。
0· 594·0 当前·0 累计
by 下载技能包
最后更新
2026/4/22
安全扫描
OpenClaw
可疑
medium confidenceNULL
评估建议
This skill may be legitimate, but exercise caution. Key points to consider before installing or using it:
- Do not paste your mainnet private key into any agent or prompt. Prefer an external signer (hardware wallet, MetaMask, or a dedicated signing service) or use an ephemeral wallet with only the minimum funds required.
- The SKILL.md requires node and npm at runtime but the skill metadata does not declare them; ensure you are comfortable allowing the agent to run Node, execute scripts, and ins...详细分析 ▾
⚠ 用途与能力
The skill claims only HTTP-based minting with local signing, which fits an NFT mint flow. However, the SKILL.md explicitly requires running Node scripts and optionally running `npm install` to fetch the ethers library — yet the skill metadata declares no required binaries or install steps. That mismatch (no declared dependency on node/npm while instructions demand them) is incoherent.
⚠ 指令范围
Instructions ask the agent to obtain the user's EVM private key and wallet address, run two Node scripts (signing payment and signing the mint tx), call multiple API endpoints on budsbase.xyz, and install ethers into /tmp if missing. While local signing is consistent with the task, the agent is told to request raw private keys from the user and to run npm install in a temp location — both expand scope beyond simple API calls and require executing code on the host. The SKILL.md also tells the agent to restart the flow with a new private key if a mint limit is reached, which could encourage repeatedly requesting new sensitive keys.
ℹ 安装机制
There is no formal install spec (instruction-only), which is lowest-risk in principle. But the runtime directions include an on-demand `npm install --prefix /tmp ethers` fallback. Installing packages from npm at runtime is moderate risk: it's a traceable registry but can introduce arbitrary code execution. The use of /tmp and runtime installs should have been declared in the metadata; absence of that declaration is the primary concern, not the presence of npm itself.
⚠ 凭证需求
The skill requests the user's EVM private key (sensitive, effectively full access to the wallet). For signing transactions this is functionally necessary if the user cannot sign externally, but the skill offers no option to integrate with an external signer/hardware wallet or to use a read-only flow. The instruction to request additional private keys if mint limits are hit further increases risk. No environment variables or credentials are declared, but the skill will effectively require a high-sensitivity secret (private key) from the user — this should be made explicit in metadata and safer alternatives should be offered.
✓ 持久化与权限
The skill does not request permanent presence (always:false) and has no install spec that writes to system config. Its runtime suggestion to install ethers into /tmp is transient and scoped to /tmp; it does not ask to modify other skills or system settings. No other elevated privileges are requested.
安全有层次,运行前请审查代码。
运行时依赖
无特殊依赖
版本
latestv1.0.12026/2/19
NULL
● 可疑
安装命令
点击复制官方npx clawhub@latest install base-buds
镜像加速npx clawhub@latest install base-buds --registry https://cn.longxiaskill.com