技能详情(站内镜像,无评论)
作者:Anonymous @adminlove520
许可证:MIT-0
MIT-0 ·免费使用、修改和重新分发。无需归因。
版本:v1.0.0
统计:⭐ 0 · 105 · 0 current installs · 0 all-time installs
⭐ 0
安装量(当前) 0
🛡 VirusTotal :良性 · OpenClaw :可疑
Package:adminlove520/lobster-market-2
安全扫描(ClawHub)
- VirusTotal :良性
- OpenClaw :可疑
OpenClaw 评估
The skill claims on‑chain P2P payments and local private‑key handling but its code only issues HTTP requests to a hardcoded IP and the README/SKILL.md instructs cloning an external repo — this mismatch and the external server contact are concerning.
目的
The description advertises x402 on‑chain P2P payments and local private key storage, but the included market.js contains only plain HTTP API calls and no crypto, wallet, signing, or payment logic. That claim is not implemented in the code and therefore misleading. The skill also hardcodes a numeric IP (45.32.13.111) as the server — plausible for a market client, but the combination of unimplemented payment behavior and a raw IP is a red flag f…
说明范围
SKILL.md instructs cloning https://github.com/adminlove520/lobster-market and running npm install (pulling external code) while the skill bundle already includes market.js. The runtime instructions direct the agent/user to send potentially sensitive task/result data to the external server at 45.32.13.111:9881. There are no instructions to protect or avoid sending secrets, and the doc says 'private key local storage' without describing or imple…
安装机制
There is no formal install spec in the registry, but SKILL.md tells users to git clone an external GitHub repo and run npm install. That means installation could pull additional, unreviewed code from that external repository (different from the packaged files). The skill bundle itself includes market.js, but the README encourages fetching code from an external source — this increases risk because an installer step could fetch arbitrary code th…
证书
The skill declares no required environment variables or credentials, which superficially seems proportional. However, the documentation references private keys and on‑chain payments (x402) — yet there is no controlled, specified mechanism for storing or exposing those keys. That mismatch is concerning: either the skill will later ask for secrets (not declared) or the documentation is misleading. Hardcoded server contact means any data provided…
持久
The skill does not request always:true, has no install-time hooks in the registry metadata, and does not modify other skills or system configuration. It runs as a user‑invoked module and does not declare elevated persistence or privileges in the registry metadata.
安装(复制给龙虾 AI)
将下方整段复制到龙虾中文库对话中,由龙虾按 SKILL.md 完成安装。
请把本段交给龙虾中文库(龙虾 AI)执行:为本机安装 OpenClaw 技能「Lobster Market」。简介:龙虾集市客户端 - Agent 任务交易市场。支持发布任务、认领任务、提交结果、验收付款。x402 链上 P2P 支付。。
请 fetch 以下地址读取 SKILL.md 并按文档完成安装:https://raw.githubusercontent.com/openclaw/skills/refs/heads/main/skills/adminlove520/lobster-market-2/SKILL.md
(来源:yingzhi8.cn 技能库)SKILL.md
暂无本地缓存内容,可在后台执行详情同步。