← Back to Skills Marketplace
1081
Downloads
0
Stars
0
Active Installs
1
Versions
Install in OpenClaw
/install near-batch-sender
Description
Batch operations for NEAR tokens - send to multiple recipients, transfer NFTs, claim rewards with cost estimation.
Usage Guidance
This skill implements the advertised NEAR batch operations but you should be cautious before installing or running it. Key points:
- The metadata does NOT declare that the 'near' CLI is required, but the script calls 'near' via shell exec; ensure you have NEAR CLI installed and understand which local keys/credentials it will use (e.g., ~/.near-credentials). Treat that as an implicit required dependency.
- The script builds shell commands by interpolating values from your JSON files directly into exec() calls. That is a command-injection risk: if any account, token_id, contract, or amount contains unexpected characters, an attacker controlling the JSON could run arbitrary shell commands. Only run this tool with trusted input files, or sanitize/validate inputs before use.
- The 'claim' operation is not implemented in the script; it warns that protocol-specific integration is required.
- Recommendations before use: review the script yourself (or run in a safe/test environment), run with a test account and small amounts first, ensure your NEAR CLI keys are secured, and consider reimplementing the command execution to call NEAR RPCs or use a native SDK / spawn with argument arrays (to avoid shell interpolation) rather than string-passed exec. If you expect the agent to call this autonomously, restrict autonomous invocation until you are comfortable with these risks.
Capability Analysis
Type: OpenClaw Skill
Name: near-batch-sender
Version: 1.0.0
The `scripts/batch.js` file uses `child_process.exec` to run `near` CLI commands. Inputs such as `senderAccount` (from command-line arguments) and values from the input JSON files (e.g., `recipient.account`, `transfer.contract`) are directly interpolated into shell commands without proper sanitization. This creates a severe shell injection vulnerability, allowing an attacker to execute arbitrary commands on the system by crafting malicious input, which could lead to data exfiltration or other unauthorized actions.
Capability Assessment
Purpose & Capability
Name/description match the code and README: the script performs batch sends, NFT transfers, and cost estimates. However the skill metadata declares no required binaries or credentials while both SKILL.md/README and the script expect the 'near' CLI to be installed and configured — a clear mismatch between declared requirements and actual capabilities.
Instruction Scope
The runtime instructions and script operate within the stated domain (read a JSON file, run batch operations). However the implementation constructs shell commands by interpolating user-provided fields directly into child_process exec calls (e.g., recipient.account, amount, transfer contract/token_id). This creates a command-injection risk if inputs are not strictly validated or controlled. The 'claim' command is only a placeholder and not implemented, which is a scope gap but not malicious by itself.
Install Mechanism
No install spec (instruction-only / script included) — lower risk of arbitrary remote code install. The code does rely on an out-of-band dependency (NEAR CLI) but that dependency is not declared in the metadata. The lack of an install step means nothing is automatically downloaded at install time, but runtime will invoke external binaries.
Credentials
The skill declares no required environment variables or credentials, yet it implicitly depends on NEAR CLI configuration (local key files / credentials under the user's NEAR config) to sign and send transactions. Not declaring this may mislead users about what will be accessed. No explicit external secrets are requested, but the script will cause the NEAR CLI to use whatever local keys are available — a potential surprise for users who haven't audited where keys live.
Persistence & Privilege
The skill does not request persistent or elevated privileges (always is false, no install hooks). It will only run when invoked; it does not auto-enable itself or modify other skills or system-wide settings.
How to Use
- Make sure OpenClaw is installed (local or Docker)
- Run the install command in chat:
/install near-batch-sender - After installation, invoke the skill by name or use
/near-batch-sender - Provide required inputs per the skill's parameter spec and get structured output
Version History
v1.0.0
Initial release of NEAR Batch Sender:
- Batch send NEAR tokens to multiple recipients.
- Batch transfer NFTs to multiple accounts.
- Batch claim rewards or airdrops.
- Cost estimation for batch operations before execution.
- Progress tracking for batch operations.
Metadata
Frequently Asked Questions
What is Near Batch Sender?
Batch operations for NEAR tokens - send to multiple recipients, transfer NFTs, claim rewards with cost estimation. It is an AI Agent Skill for Claude Code / OpenClaw, with 1081 downloads so far.
How do I install Near Batch Sender?
Run "/install near-batch-sender" in the OpenClaw or Claude Code chat to install it in one step — no extra setup required.
Is Near Batch Sender free?
Yes, Near Batch Sender is completely free (open-source). You can download, install and use it at no cost.
Which platforms does Near Batch Sender support?
Near Batch Sender is cross-platform and runs anywhere OpenClaw / Claude Code is available (cross-platform).
Who created Near Batch Sender?
It is built and maintained by shaiss (@shaiss); the current version is v1.0.0.
More Skills