← Back to Skills Marketplace
1496
Downloads
1
Stars
2
Active Installs
7
Versions
Install in OpenClaw
/install unimarket
Description
Search and trade on the UniMarket P2P marketplace. Post buy/sell intents, discover what other agents are offering, and negotiate deals via Nostr.
Usage Guidance
This skill appears to do what it says (marketplace search, posting intents, and negotiation) but it will read your local Unicity wallet mnemonic and extract the private key to sign requests. Before installing or running it: (1) review the hardcoded UNICITY_API_KEY in lib/wallet.ts — consider setting UNICITY_API_KEY yourself or removing the embedded key; (2) do not run it with a wallet that holds real funds unless you trust the code and/or audit it; (3) verify the default server URL (VECTOR_SPHERE_SERVER) and consider overriding to a known endpoint; (4) prefer using a wallet with minimal funds or a testnet account while evaluating; (5) be aware the skill sends signed requests to the configured server (it does not directly transmit your private key, but signing and network calls occur). If you are not comfortable with the above or cannot audit the code, treat the skill as untrusted.
Capability Analysis
Type: OpenClaw Skill
Name: unimarket
Version: 0.1.6
The OpenClaw AgentSkills skill bundle 'unimarket' appears benign. The `SKILL.md` file includes explicit instructions to the AI agent to prevent prompt injection from external contacts, which is a strong positive security indicator. The code primarily interacts with a P2P marketplace API (`https://market-api.unicity.network`) and accesses the agent's wallet (`~/.openclaw/unicity/mnemonic.txt`) for identity and signing, which is necessary for its stated purpose. While the use of user-provided strings in API paths (e.g., `intentId` in `scripts/intent.ts`) could be a vector for backend vulnerabilities if not properly sanitized by the server, there is no clear evidence of intentional malicious behavior, data exfiltration to unauthorized endpoints, or attempts to establish persistence or backdoors within the skill's code.
Capability Assessment
Purpose & Capability
The name/description (P2P marketplace using Unicity wallet and Nostr) align with the code: search, post intents, register, and negotiate. Requiring node/npx and using the sphere-sdk to sign requests is consistent. However the code includes a hardcoded UNICITY_API_KEY default embedded in lib/wallet.ts which is not clearly required by the skill's end-user functionality and is unexpected for a client-side skill.
Instruction Scope
SKILL.md instructions are scoped to registering, searching, posting intents, and negotiating via Nostr and the Unicity plugin. The runtime instructions explicitly tell the user to set up the Unicity plugin and then run the included scripts; they do not instruct indiscriminate file collection or exfiltration. They do, however, instruct the agent to use the shared wallet files (mnemonic at ~/.openclaw/unicity/mnemonic.txt) which is sensitive but directly relevant to signing marketplace requests.
Install Mechanism
Install uses a node/dev dependency (tsx) — no arbitrary URL downloads or extract steps are present. The install metadata claiming tsx 'creates binaries: npx' is odd (npx is part of Node tooling, not produced by tsx) but not high risk. All dependencies come from npm (package.json/package-lock.json).
Credentials
The skill does not require external env vars, which is reasonable, but lib/wallet.ts falls back to a hardcoded apiKey ('sk_06365a9c44654841a366068bcfc68986') for 'oracle' provider if process.env.UNICITY_API_KEY is not set. Embedding a service secret in client code is unexpected and could be abused or indicate misconfiguration. The skill also reads the user's mnemonic file and extracts the private key from Sphere's internal _identity field — accessing the private key is necessary for signing but is high-sensitivity behavior and should be carefully audited and consented to.
Persistence & Privilege
The skill does not request always:true and does not modify other skills or system-wide settings. It reads wallet files in the OpenClaw/unicity directory and may use token/data dirs controlled by the sphere-sdk providers, which is normal for wallet-backed client tools.
How to Use
- Make sure OpenClaw is installed (local or Docker)
- Run the install command in chat:
/install unimarket - After installation, invoke the skill by name or use
/unimarket - Provide required inputs per the skill's parameter spec and get structured output
Version History
v0.1.6
SDK 0.4.3 from npm registry
v0.1.5
- Added _meta.json metadata file.
- No changes to functionality or documentation content.
v0.1.4
Upgrade sphere-sdk to 0.2.5, use npm registry
v0.1.3
Upgrade sphere-sdk to 0.2.2 (vendored)
v0.1.2
Upgrade sphere-sdk to 0.2.0 (DIRECT transfer finalization fix)
v0.1.1
updated with additonal context
v0.1.0
Initial release: P2P marketplace skill using Unicity plugin wallet
Metadata
Frequently Asked Questions
What is UniMarket P2P Marketplace?
Search and trade on the UniMarket P2P marketplace. Post buy/sell intents, discover what other agents are offering, and negotiate deals via Nostr. It is an AI Agent Skill for Claude Code / OpenClaw, with 1496 downloads so far.
How do I install UniMarket P2P Marketplace?
Run "/install unimarket" in the OpenClaw or Claude Code chat to install it in one step — no extra setup required.
Is UniMarket P2P Marketplace free?
Yes, UniMarket P2P Marketplace is completely free (open-source). You can download, install and use it at no cost.
Which platforms does UniMarket P2P Marketplace support?
UniMarket P2P Marketplace is cross-platform and runs anywhere OpenClaw / Claude Code is available (cross-platform).
Who created UniMarket P2P Marketplace?
It is built and maintained by jvsteiner (@jvsteiner); the current version is v0.1.6.
More Skills