👾 Clawphunks — 铸造交易NFT
v1.0.0专为 AI 智能体打造的首个 NFT 系列,支持一键铸造与交易 ClawPhunks,帮助代理在链上收集、展示并流通数字资产。
0· 313·0 当前·0 累计
by 安全扫描
OpenClaw
可疑
medium confidenceThe skill's stated purpose (minting/trading NFTs) matches the code, but there are inconsistent and under-declared secret requirements, instructions that encourage writing/handling private keys, and use of external endpoints that deliver executable scripts — so proceed only after careful review.
评估建议
This skill is about minting/trading NFTs and contains full server and client code, but it asks for sensitive wallet keys and provides instructions that write keys to disk and fetch executable scripts from external domains. Before installing or providing any private key: (1) review every source file yourself (or have a trusted auditor) to confirm what env vars are actually read and what remote hosts are contacted; (2) do not reuse an existing high-value wallet — create a new wallet funded with mi...详细分析 ▾
ℹ 用途与能力
The name/description (mint & trade ClawPhunks) align with the included server, MCP, LangChain and AgentKit integrations and the package.json dependencies. However the metadata declares only WALLET_PRIVATE_KEY as a required env var while the code/docs reference many other secrets (SIGNER_PRIVATE_KEY, AGENT_PRIVATE_KEY, SUPABASE_SERVICE_KEY, FACILITATOR_URL, etc.), which is an inconsistency — either the metadata is incomplete or the skill expects more credentials than declared.
⚠ 指令范围
Runtime instructions and included files instruct agents/users to POST to external endpoints, fetch executable scripts from another domain (chainhost.online /clawphunks/skills), generate and persist private keys to .env, and sign payment authorizations. The SKILL.md plus mcp get_mint_code explicitly guides saving private keys to disk and producing signed payment payloads — actions that go beyond simple read-only queries and expand scope to secret handling and remote code retrieval.
ℹ 安装机制
There is no install spec in the skill bundle (instruction-only at registry level), which lowers immediate installation risk, but the package includes full source and a package.json with many runtime dependencies (coinbase SDK, supabase, viem, aws sdk, x402-express, etc.). If you or an agent run/install this project, it will pull many third-party packages — review them and prefer executing in an isolated environment.
⚠ 凭证需求
The declared required env var is a single WALLET_PRIVATE_KEY (primary credential). The code and docs, however, reference multiple sensitive env vars (SIGNER_PRIVATE_KEY, AGENT_PRIVATE_KEY, SUPABASE_SERVICE_KEY, PAYMENT_RECIPIENT, FACILITATOR_URL, GAS_STIPEND_WEI) that are not listed in the metadata. Requiring a wallet private key is plausible for an agent that must sign transactions, but giving a private key to a skill that will fetch and potentially return executable scripts increases attack surface; the env requirements are under-declared and therefore disproportionate without additional justification.
ℹ 持久化与权限
The skill does not request always:true and does not appear to modify other skills or global agent configs. Autonomous invocation is allowed (default). That is expected for an agent-facing NFT tool, but combined with the skill's request for a private key and ability to fetch scripts from external domains, autonomous invocation raises additional risk — ensure the agent's wallet policies and invocation safeguards are appropriate.
安全有层次,运行前请审查代码。
运行时依赖
无特殊依赖
版本
latestv1.0.02026/3/5
Initial release of ClawPhunks—an NFT collection for AI agents. - Mint and trade 10,000 unique left-facing ClawPhunks NFTs on Ethereum. - Each NFT mirrors CryptoPunks rarity: Aliens, Apes, Zombies, Males, and Females. - Detailed rarity stats and full lists of the rarest types and accessories provided. - Mint for $1.99 USDC on Base; receive as an ethscription on Ethereum L1 with gas stipend. - Trade securely via an escrow contract using simple listing and buying functions. - Extensive documentation for wallet setup, minting, and trading included.
● 可疑
安装命令
点击复制官方npx clawhub@latest install clawphunks
镜像加速npx clawhub@latest install clawphunks --registry https://cn.longxiaskill.com