by 安全扫描
OpenClaw
可疑
medium confidenceNULL
评估建议
This skill appears to be a coherent multi-chain wallet/agent that will manage private keys and can sign transactions without human input. Before installing: 1) Verify the npm package and GitHub repository (review package contents and evalanche-mcp binary) to ensure the code matches expectations. 2) Prefer storing secrets in OpenClaw secret storage rather than raw env vars; avoid putting your main mnemonic or long-term private key into the skill unless you trust the code. 3) Understand it will cr...详细分析 ▾
ℹ 用途与能力
The name/description (multi-EVM agent wallet, on‑chain identity, bridging, DEX aggregation, DeFi operations) maps to the declared requirements: Node + an npm package 'evalanche'. The environment variables declared in SKILL.md (AGENT_PRIVATE_KEY, AGENT_MNEMONIC, AGENT_ID, etc.) are appropriate for a wallet SDK. However the registry summary earlier states "Required env vars: none", which is an inconsistent metadata claim and should be clarified.
⚠ 指令范围
The SKILL.md instructs the agent to autonomously generate and manage private keys, write encrypted keystore files to ~/.evalanche/keys (chmod 0600), create a 32‑byte entropy file, and can start an MCP HTTP server on localhost:3402. These actions involve creating/managing secrets and running a local server; they are within the advertised wallet scope but expand the agent's access to sensitive local state and network-facing ports and therefore merit explicit user review before use.
✓ 安装机制
Install uses npm (package: evalanche) which is expected for a Node-based SDK/CLI. npm installs are moderate-risk compared with pre-reviewed system packages but are proportionate to the stated purpose. No ad-hoc download URLs or archive extraction are present in the spec.
ℹ 凭证需求
Requested environment variables (private key, mnemonic, keystore dir, chain alias) are relevant for a headless wallet and marked secret in the SKILL.md metadata. There is no request for unrelated credentials. That said, the registry metadata summary contradicts SKILL.md by saying 'none' for required env vars; verify which is authoritative. The skill also mentions preference for OpenClaw secrets — prefer that over raw envs.
ℹ 持久化与权限
always:false (good). The skill stores an encrypted keystore under the user's home directory and can run a local HTTP MCP server (localhost:3402) if the user enables it. Autonomous invocation (model invocation enabled by default) combined with stored signing keys raises the potential blast radius (the skill could sign transactions autonomously). This is not an automatic disqualifier but the user should be aware and restrict exposure (do not run HTTP mode publicly, limit agent permissions, use ephemeral keys for testing).
安全有层次,运行前请审查代码。
运行时依赖
无特殊依赖
版本
latestv1.9.22026/2/26
NULL
● 可疑
安装命令
点击复制官方npx clawhub@latest install evalanche
镜像加速npx clawhub@latest install evalanche --registry https://cn.longxiaskill.com