📦 Elsa x402 API — DeFi投组速览

v1.0.0

通过 Elsa API 接入 x402 微支付，一键完成 DeFi 资产组合分析、代币搜索与闪兑执行，无需复杂授权，链上数据实时同步。

0· 372·0 当前·0 累计

by @justjkk (J Kishore Kumar)

数据分析 API工具自动化

下载技能包

最后更新

2026/4/22

安全扫描

VirusTotal

可疑

查看报告

OpenClaw

可疑

medium confidence

NULL

评估建议

This skill appears to implement what it claims (pay-per-call x402 payments + Elsa API access), but it requires you to provide a raw private key (PAYMENT_PRIVATE_KEY) that the code will use to sign payment messages and (if execution enabled) may sign transactions. Before installing: - Only use a dedicated payment wallet seeded with a small USDC balance (minimal funds). Do not put funds you cannot afford to lose into the PAYMENT_PRIVATE_KEY wallet. Consider using a separate TRADE_PRIVATE_KEY wall...

详细分析 ▾

✓ 用途与能力

The skill's name/description (Elsa x402 DeFi API + micropayments) match what the code requests and does: it uses PAYMENT_PRIVATE_KEY to create a wallet client and attach x402 payment headers, calls Elsa endpoints, and optionally signs on-chain transactions using a trade key. The required secret is proportionate to the stated payment & signing features.

ℹ 指令范围

SKILL.md instructs the agent and user to run the included TS scripts (npx tsx scripts/index.ts ...) and to set PAYMENT_PRIVATE_KEY (and optionally TRADE_PRIVATE_KEY). The instructions do not attempt to read unrelated system files or unrelated credentials, and they enforce dry-run/confirmation and budget checks. However the guidance explicitly tells users to put a private key into ~/.openclaw/openclaw.json (persistent file), which increases risk if the repo is untrusted or the file is not protected.

✓ 安装机制

There is no external download/install spec; the package contains a standard package.json/package-lock.json and depends on public npm packages (axios, viem, x402-axios, etc). No unusual or remote ad-hoc URL downloads or extract-from-arbitrary-URL steps are declared.

⚠ 凭证需求

Only PAYMENT_PRIVATE_KEY is declared as required (with TRADE_PRIVATE_KEY optional), which is expected for x402 payments and local signing. That said, a single required env that is a raw private key is highly sensitive: the skill expects you to store a hex private key in config and will use it to sign payment messages (and may be used for signing if TRADE_PRIVATE_KEY is not set). This is proportionate for the feature set but high-risk in practice — it must be handled with strict operational controls (dedicated low-value payment wallet, protect config file, prefer ephemeral or hardware-backed signing if possible).

✓ 持久化与权限

The skill does not request always:true and does not claim to modify other skill configurations. It asks the user to add env into OpenClaw config for the skill to run (normal). Execution tools are opt-in (ELSA_ENABLE_EXECUTION_TOOLS) and SKILL.md enforces dry-run/confirmation rules.

安全有层次，运行前请审查代码。

运行时依赖

无特殊依赖

版本

latestv1.0.02026/2/27

NULL

● 可疑

安装命令

点击复制

官方npx clawhub@latest install elsa-x402-api

镜像加速npx clawhub@latest install elsa-x402-api --registry https://cn.longxiaskill.com

数据来源：ClawHub ↗ · 中文优化：龙虾技能库