技能详情(站内镜像,无评论)
许可证:MIT-0
MIT-0 ·免费使用、修改和重新分发。无需归因。
版本:v1.0.3
统计:⭐ 1 · 42 · 0 current installs · 0 all-time installs
⭐ 1
安装量(当前) 0
🛡 VirusTotal :良性 · OpenClaw :可疑
Package:ai-chen2050/glue-x
安全扫描(ClawHub)
- VirusTotal :良性
- OpenClaw :可疑
OpenClaw 评估
The skill is generally coherent for controlling a Solana wallet and interacting with the GlueX program, but it reads the user's private key file and can sign on-chain transactions while registry metadata does not declare that config access — combined with autonomous invocation this is a meaningful risk the user should understand before installing.
目的
The code and SKILL.md align with the stated purpose (publishing/listening/claiming/approving bounties on Solana). Required binaries (node/npm/npx) and the included dependencies (@coral-xyz/anchor, @solana/web3.js) are reasonable for this functionality. However, the skill accesses a local Solana keypair file (~/.config/solana/id.json) which is expected for signing transactions but is not declared in the skill's registry metadata (required confi…
说明范围
Runtime instructions and the code instruct the agent to load a local private key file and perform on-chain transactions (publish, claim, approve) and run persistent listeners. The SKILL.md warns about not leaking keys, but there is no built-in user-confirmation flow per transaction; an agent invoking the skill could sign transactions without further explicit prompts.
安装机制
No automated install spec in the registry (instruction-only). The repo includes a package.json and package-lock.json that will cause npm to download standard npm packages from public registries; nothing in the lockfile points at obscure download hosts or arbitrary archives. Installing requires running 'npm install' locally, which is expected.
证书
The skill requests no environment variables but reads the user's Solana keypair file from a well-known local path (~/ .config/solana/id.json). This file contains the raw private key material used to sign and move funds. The registry metadata did not declare this config path as required, which is an incoherence and a sensitive access that should be explicitly noted to users.
持久
always:false (good), but model invocation is allowed (default). Combined with the skill's ability to load a private key and sign transactions, autonomous invocation increases the blast radius: an agent could run listeners and automatically claim/approve bounties that move funds from the user's wallet. The SKILL.md recommends using Devnet and a funded keypair, but there is no enforcement or consent gating in the code.
scripts/interact.ts:15
File read combined with network send (possible exfiltration).
安装(复制给龙虾 AI)
将下方整段复制到龙虾中文库对话中,由龙虾按 SKILL.md 完成安装。
请把本段交给龙虾中文库(龙虾 AI)执行:为本机安装 OpenClaw 技能「GlueX」。简介:Operate the GlueX Solana protocol (register profiles, listen to bounties, claim…。
请 fetch 以下地址读取 SKILL.md 并按文档完成安装:https://raw.githubusercontent.com/openclaw/skills/refs/heads/main/skills/ai-chen2050/glue-x/SKILL.md
(来源:yingzhi8.cn 技能库)SKILL.md
暂无本地缓存内容,可在后台执行详情同步。