技能详情(站内镜像,无评论)
作者:Angelos Kappos @adacapo21
许可证:MIT-0
MIT-0 ·免费使用、修改和重新分发。无需归因。
版本:v1.0.0
统计:⭐ 0 · 128 · 0 current installs · 0 all-time installs
⭐ 0
安装量(当前) 0
🛡 VirusTotal :良性 · OpenClaw :可疑
Package:adacapo21/cardano-transactions
安全扫描(ClawHub)
- VirusTotal :良性
- OpenClaw :可疑
OpenClaw 评估
The skill asks for a SEED_PHRASE environment variable (a highly sensitive secret) but its documentation says the seed phrase is never exposed and the runtime instructions never justify needing that env var — this mismatch is disproportionate and risky.
目的
The skill's purpose (sign & submit Cardano transactions via an MCP tool) can normally be achieved by talking to a wallet/MCP server without the agent holding the seed phrase. Declaring SEED_PHRASE as a required env var is not consistent with the stated architecture (the docs explicitly say the seed is never exposed to the AI agent). The one declared install (@indigoprotocol/cardano-mcp) is appropriate for Cardano MCP functionality, so the main…
说明范围
SKILL.md instructs a safe confirmation flow (summarize transaction, ask explicit confirmation, only then call submit_transaction). However, the skill's metadata requires SEED_PHRASE while the prose states the seed phrase is never exposed — a direct contradiction. The allowed-tools include Read/Glob/Grep (file access/search) which could be used to read local secrets if the agent were permitted to act, creating scope creep relative to the minima…
安装机制
Install is an npm package (@indigoprotocol/cardano-mcp). This is an expected mechanism for Cardano tooling (traceable on npm) and is moderate-risk but proportionate for the described capability. No arbitrary URL downloads or archive extracts are used.
证书
Requesting SEED_PHRASE is high privilege and should be unnecessary if an external MCP/wallet service signs transactions. The skill offers no justification for requiring this env var; moreover, its own documentation claims the seed is never exposed to the agent — a conflicting message. An env var named SEED_PHRASE is explicitly a secret-like credential and is disproportionate for a tool that should instead rely on the wallet/MCP service.
持久
The skill is not always-enabled and does not request elevated persistence or system-wide config changes. There is no evidence it modifies other skills or agent settings. The only minor note is allowed-tools that permit reading files, which increases potential for accidental local-secret access if capabilities are misused.
安装(复制给龙虾 AI)
将下方整段复制到龙虾中文库对话中,由龙虾按 SKILL.md 完成安装。
请把本段交给龙虾中文库(龙虾 AI)执行:为本机安装 OpenClaw 技能「Cardano Transactions」。简介:Sign and submit Cardano transactions with explicit user confirmation.。
请 fetch 以下地址读取 SKILL.md 并按文档完成安装:https://raw.githubusercontent.com/openclaw/skills/refs/heads/main/skills/adacapo21/cardano-transactions/SKILL.md
(来源:yingzhi8.cn 技能库)SKILL.md
---
name: cardano-transactions
description: "Sign and submit Cardano transactions with explicit user confirmation."
allowed-tools: Read, Glob, Grep
license: MIT
metadata:
author: indigoprotocol
version: '0.1.0'
openclaw:
emoji: "📤"
requires:
env: [SEED_PHRASE]
install:
- kind: node
package: "@indigoprotocol/cardano-mcp"
---
# Cardano Transactions
Sign and submit Cardano transactions with explicit user confirmation.
## Prerequisites
- `@indigoprotocol/cardano-mcp` server running
## MCP Tools
- `submit_transaction` — Sign and submit a Cardano transaction CBOR
## When to use
Use this skill when the user asks to:
- Submit or send a Cardano transaction
- Sign a transaction with their wallet
- Broadcast a pre-built transaction
## Safety model
**This tool is dangerous.** Before calling `submit_transaction`:
1. Summarize the transaction in plain English.
2. Ask the user to explicitly confirm.
3. Only proceed if the user says yes.
4. **Never submit a transaction automatically.**
## Data interpretation
- Input requires unsigned transaction CBOR (hex string).
- Output includes `transactionHash` and `timestamp` on success.
- The transaction is signed by the connected wallet's keys.