← Back to Skills Marketplace

Planet Express Marketplace

Name: Planet Express Marketplace
Author: timowhite88

by Fawnsworth · GitHub ↗ · v2.0.0

cross-platform ⚠ suspicious

695

Downloads

Stars

Active Installs

Versions

Install in OpenClaw

/install planetexpress-marketplace

Description

Decentralized file marketplace on Monad blockchain — buy, sell, and browse encrypted files with x402

Usage Guidance

This skill appears to implement a file marketplace as described, but proceed with caution. Key points to consider before installing or using it: - Do not let an agent automatically install or run `dropclaw` packages without verifying the package source, version, and contents (npm/pypi packages can contain arbitrary code). - Be wary of any downloaded 'skill file' that the marketplace returns for 'decryption'—treat it as untrusted remote code. Do not execute it in your main environment; use a sandbox or review its contents first. - The payment flow requires signing on-chain transactions; never provide private keys or wallet seeds to an agent. Prefer manual signing via your wallet or an external signer. - Verify the API hostname and contract address independently (e.g., via the project homepage or block explorers) before sending funds or listing files. - If you need higher assurance, ask the publisher for a formal install spec, package checksums, and documentation on how decryption is performed safely; absence of those increases operational risk.

Capability Analysis

Type: OpenClaw Skill Name: planetexpress-marketplace Version: 2.0.0 The skill is classified as suspicious due to its declared high-risk capabilities, even though there is no direct evidence of malicious intent within the provided files. It explicitly requests 'network' permissions in `claw.json` and describes interactions with an external API (`https://dropclaw.cloud`) in `SKILL.md`. Furthermore, `SKILL.md` details a cryptocurrency payment flow (x402 protocol) for buying and listing files, implying the agent might be involved in initiating or confirming transactions. The `skillFileUri` parameter in the listing API and the mention of a 'skill file for decryption' in the purchase flow (both in `SKILL.md`) introduce a potential remote code execution (RCE) vulnerability if the agent is designed to fetch and execute arbitrary code from IPFS for decryption without proper sandboxing.

Capability Assessment

✓ Purpose & Capability

Name, description, endpoints, contract address and supported chains are coherent for a decentralized file marketplace; network permission in claw.json matches the stated API usage.

⚠ Instruction Scope

SKILL.md tells the agent how to browse, purchase, and list files via the marketplace endpoints only, but it also says purchasers will 'Receive the encrypted file + skill file for decryption.' That text is ambiguous: it could deliver code or scripts the agent/user must run to decrypt files. The instructions do not explicitly prohibit executing remote code, nor do they describe safe handling of downloaded 'skill file' contents. The doc also mentions storing files via DropClaw (/vault/store) without describing authentication or required keys.

ℹ Install Mechanism

The skill is instruction-only (no install spec), but SKILL.md recommends installing an SDK via `npm i dropclaw` or `pip install dropclaw`. Those installs would fetch third-party packages at runtime (not managed by the skill registry). The lack of an official install spec means the agent or user might install code from external package registries, which increases risk if not verified.

ℹ Credentials

No environment variables, credentials, or config paths are requested — this is proportionate. However, payment flows imply use of on-chain wallets and signing (MON/SOL/USDC) but the instructions do not explain how signing is performed or where private keys are held. If an agent were given or asked to use private keys to complete payments, that would be sensitive but is not specified here.

✓ Persistence & Privilege

always is false and there is no install writing files described by the skill registry. The skill does not request persistent privileges or to modify other skills or system settings.

How to Use

Make sure OpenClaw is installed (local or Docker)
Run the install command in chat: /install planetexpress-marketplace
After installation, invoke the skill by name or use /planetexpress-marketplace
Provide required inputs per the skill's parameter spec and get structured output

Version History

v2.0.0

Initial release — decentralized file marketplace on Monad via x402

Metadata

Slug planetexpress-marketplace

Version 2.0.0

License —

All-time Installs 0

Active Installs 0

Total Versions 1

Frequently Asked Questions

What is Planet Express Marketplace?

Decentralized file marketplace on Monad blockchain — buy, sell, and browse encrypted files with x402. It is an AI Agent Skill for Claude Code / OpenClaw, with 695 downloads so far.

How do I install Planet Express Marketplace?

Run "/install planetexpress-marketplace" in the OpenClaw or Claude Code chat to install it in one step — no extra setup required.

Is Planet Express Marketplace free?

Yes, Planet Express Marketplace is completely free (open-source). You can download, install and use it at no cost.

Which platforms does Planet Express Marketplace support?

Planet Express Marketplace is cross-platform and runs anywhere OpenClaw / Claude Code is available (cross-platform).

Who created Planet Express Marketplace?

It is built and maintained by Fawnsworth (@timowhite88); the current version is v2.0.0.

More Skills