📦 Clawchain — 区块链代理客户端
v1.0.1专为 EvoClaw 智能体打造的 Substrate 链 RPC 客户端,可查询链上代理数据、提交交易,实现链上链下无缝交互。
0· 994·0 当前·0 累计
by @bowen31337下载技能包
最后更新
2026/4/22
安全扫描
OpenClaw
可疑
medium confidenceNULL
评估建议
This skill appears to implement a Substrate RPC client, but there are several inconsistencies you should address before installing or running it: 1) The Rust code reads the environment variable CLAWCHAIN_OWNER (and the init script uses WORKSPACE) but the skill metadata doesn't declare these—decide whether the agent will get an owner key from an env var, a config file, or a secure signer, and document it. 2) Review the included script (scripts/init-clawchain.sh) before executing; it writes a conf...详细分析 ▾
ℹ 用途与能力
The name/description (ClawChain RPC client) aligns with the provided Rust client libraries and examples: the code implements querying storage, submitting extrinsics, subscribing to events, and helper scripts for config. That said, there are implementation oddities (e.g., inconsistent RPC method names such as 'author_submitExtrinsic' vs 'agent_submitExtrinsic', use of 'blake_256' which doesn't exist alongside 'blake2_256', and simplistic placeholder SCALE encodings) that look like incomplete or sloppy engineering rather than deliberate capability mismatch.
⚠ 指令范围
The SKILL.md runtime instructions do not declare or mention environment variables that the code actually reads (get_owner_address() reads 'CLAWCHAIN_OWNER'), nor do they reference the included scripts (scripts/init-clawchain.sh uses WORKSPACE and writes a config file). The client code will open network connections (WebSocket to whatever RPC URL is provided) and can submit transactions; these actions are consistent with purpose, but the runtime instructions are incomplete about configuration and side effects (creating files under WORKSPACE, reading env vars).
ℹ 安装机制
There is no install spec (instruction-only), which is lower risk; however the skill bundle includes code and an executable shell script. While nothing is automatically downloaded at install time, those files can be executed by an agent following SKILL.md or by a user — review the script before running. The script itself only writes a JSON config and uses default local endpoints; it does not pull remote binaries.
⚠ 凭证需求
The skill metadata declares no required environment variables, but the code reads CLAWCHAIN_OWNER (with a fallback to a hardcoded address) and the init script references WORKSPACE. Asking for or reading an owner key/env var is plausible for signing/submitting transactions, but the metadata should declare these. Also the client expects private key usage for signing in practice (SKILL.md mentions programmatic signing) but the code does not implement signing — this mismatch could lead integrators to inadvertently expose credentials elsewhere. No other unrelated secrets are present, but the undocumented env access is a proportionality/visibility concern.
✓ 持久化与权限
The skill does not request 'always: true', does not declare system-wide config modifications, and contains no automatic persistence mechanism. The included init script writes a local config file under WORKSPACE (or $HOME/workspace) but that is limited in scope. Autonomous invocation is enabled by default (normal) and not, by itself, a new risk here.
安全有层次,运行前请审查代码。
运行时依赖
无特殊依赖
版本
latestv1.0.12026/2/9
NULL
● 可疑
安装命令
点击复制官方npx clawhub@latest install clawchain
镜像加速npx clawhub@latest install clawchain --registry https://cn.longxiaskill.com