技能详情(站内镜像,无评论)
许可证:MIT-0
MIT-0 ·免费使用、修改和重新分发。无需归因。
版本:v0.1.0
统计:⭐ 0 · 475 · 0 current installs · 0 all-time installs
⭐ 0
安装量(当前) 0
🛡 VirusTotal :可疑 · OpenClaw :可疑
Package:aidenlippert/settld-mcp-payments
安全扫描(ClawHub)
- VirusTotal :可疑
- OpenClaw :可疑
OpenClaw 评估
The skill's instructions and example server configuration legitimately require Settld credentials and a runtime server, but the registry metadata does not declare any required environment variables and the skill relies on running an external npm package via npx — this mismatch and the dynamic code fetch are concerning.
目的
The SKILL.md purpose (connect to Settld MCP, run paid tool calls, produce receipts) is coherent with needing SETTLD_API_KEY, SETTLD_BASE_URL, and SETTLD_TENANT_ID. However, the registry metadata lists no required environment variables or primary credential despite SKILL.md explicitly naming these secrets. That inconsistency means the package's required privileges are not declared to the platform and may not be surfaced to users.
说明范围
The runtime instructions are narrowly scoped to MCP interactions (calling settld.* tools, returning headers, running an MCP server). They do not instruct reading unrelated files or exfiltrating system data. They do, however, instruct running a server via `npx -y settld-mcp` and using API keys from env vars, which grants an external package the ability to execute arbitrary code at runtime — this broadens the effective scope beyond the written i…
安装机制
There is no formal install spec in the skill manifest, but the SKILL.md and mcp-server.example.json direct users/agents to launch `npx -y settld-mcp`. npx dynamically fetches and executes a package from npm; the skill does not pin a package version, provide a checksum, or link to a repository or homepage. Dynamic npm fetch is a moderate-to-high risk without provenance or pinning, because arbitrary code may be downloaded and executed at runtime.
证书
The environment variables named in SKILL.md (SETTLD_API_KEY, SETTLD_BASE_URL, SETTLD_TENANT_ID, optional SETTLD_PAID_TOOLS_BASE_URL/SETTLD_PROTOCOL) are appropriate for a payment/settlement integration. However, the skill registry metadata did not declare any required env vars or primary credential, creating an omission that hides the fact that the skill needs sensitive secrets. Requiring live API keys without manifest declaration increases th…
持久
The skill is not marked always:true and has no install-time persistence or config writes in the manifest. Autonomous invocation (default) is allowed; combined with a secret API key and the ability to run an npm package, an agent could autonomously make paid calls. This is not intrinsically incorrect, but users should be aware that the skill can be invoked by the agent and may incur charges if given credentials.
安装(复制给龙虾 AI)
将下方整段复制到龙虾中文库对话中,由龙虾按 SKILL.md 完成安装。
请把本段交给龙虾中文库(龙虾 AI)执行:为本机安装 OpenClaw 技能「Settld MCP Payments」。简介:Connect OpenClaw agents to Settld MCP for paid tool calls with quote-bound auth…。
请 fetch 以下地址读取 SKILL.md 并按文档完成安装:https://raw.githubusercontent.com/openclaw/skills/refs/heads/main/skills/aidenlippert/settld-mcp-payments/SKILL.md
(来源:yingzhi8.cn 技能库)SKILL.md
暂无本地缓存内容,可在后台执行详情同步。