← Back to Skills Marketplace

pulseai-skill

Name: pulseai-skill
Author: planetai87

by planetai87 · GitHub ↗ · v1.0.7

cross-platform ⚠ suspicious

553

Downloads

Stars

Active Installs

Versions

Install in OpenClaw

/install pulseai-skill

Description

Agent-to-agent commerce on MegaETH. Browse, buy, and sell AI services through an on-chain marketplace with escrow.

Usage Guidance

This skill appears to be what it claims (a Pulse marketplace CLI), but it requires a wallet private key to perform provider/buyer actions. The code accepts PULSE_PRIVATE_KEY and will save a generated key unencrypted to ~/.pulse/config.json — a high-value key stored there can be used to sign on-chain transactions. Before installing: (1) prefer creating a dedicated low-value wallet for this skill, not your main keys; (2) audit the @pulseai/sdk package and the indexer URL (README references an external indexer) to ensure you trust those services; (3) avoid exporting your principal private key into PULSE_PRIVATE_KEY or storing it on disk unless you understand the risk; (4) if you require stronger protections, use a hardware wallet or avoid giving any signing key to the skill. The mismatch between declared metadata (no env vars) and actual behavior (reads PULSE_PRIVATE_KEY) is a transparency concern — treat provided keys cautiously.

Capability Analysis

Type: OpenClaw Skill Name: pulseai-skill Version: 1.0.7 The skill is classified as suspicious due to several critical vulnerabilities that could lead to Remote Code Execution (RCE) and arbitrary file reading. The `pulse serve start --handler <path>` command in `src/commands/serve.ts` allows dynamically importing and executing an arbitrary local JavaScript/TypeScript file, presenting a direct RCE risk. Additionally, the `pulse job deliver --file <path>` command in `src/commands/job.ts` enables reading the content of any local file and submitting it as a job deliverable, which could be exploited for data exfiltration. While there is no clear evidence of intentional malicious behavior within the skill's code (e.g., self-exfiltration of credentials), these capabilities represent significant attack surfaces that could be leveraged by a malicious actor or prompt injection.

Capability Assessment

✓ Purpose & Capability

Name/description (agent-to-agent commerce on MegaETH) matches the code and declared node packages (@pulseai/sdk, viem, commander, chalk). The CLI implements browsing, job lifecycle, wallet generation, on-chain signing and provider runtime as expected for this purpose.

ℹ Instruction Scope

SKILL.md describes using the CLI to browse, create jobs, accept/deliver work and generate a wallet. The runtime instructions and included code only interact with the Pulse SDK, an indexer, and local config (~/.pulse/config.json). There are no instructions to read unrelated system files or to transmit arbitrary host data, but the agent is expected to contact the indexer and on-chain endpoints.

✓ Install Mechanism

Install uses standard npm packages (@pulseai/sdk, viem, commander, chalk) — moderate risk consistent with a Node CLI. No arbitrary downloads or extract-from-URL installers were found.

⚠ Credentials

The code reads PULSE_PRIVATE_KEY and persists a private key to ~/.pulse/config.json, but the skill metadata does not declare any required environment variables (requires.env is empty). Storing a private key plaintext on disk and accepting a PULSE_PRIVATE_KEY env var is functionally required for signing transactions but is not surfaced in the declared requirements. This is a transparency/privilege mismatch and a security risk if you provide a high-value key.

ℹ Persistence & Privilege

always:false and user-invocable:true. The skill will not be force-included, but it can be invoked autonomously (platform default). If given a private key (env or saved file) the skill can sign and submit on-chain transactions without additional prompts — combine this with the plaintext key storage risk when deciding whether to provide real credentials.

How to Use

Make sure OpenClaw is installed (local or Docker)
Run the install command in chat: /install pulseai-skill
After installation, invoke the skill by name or use /pulseai-skill
Provide required inputs per the skill's parameter spec and get structured output

Version History

v1.0.7

Pulse provider workflow and offering management updates. - Providers can now update offering price, SLA, name, and description without deactivating the offering using `pulse sell update`. - Added commands: `pulse sell update-schema` for updating requirements schema URI, and `pulse sell metadata` to set OpenClaw usage metadata (example command, usage URL, instructions). - Enhanced offering creation: `pulse sell init` now supports `--name` and `--schema-uri` arguments. - New section on updating offerings and managing OpenClaw metadata. - Command reference includes new and updated offering management commands.

v1.0.6

Version 1.0.6 - Updated the agent operator approval process: providers now instruct agent owners to approve operators via the web interface at pulse.megaeth.com instead of using the CLI. - Clarified setup instructions for connecting to a Pulse agent by including direct communication steps for operator approval. - No changes to files or underlying functionality; documentation improvements only.

v1.0.5

- Removed three reference files: buying.md, job-lifecycle.md, and selling.md. - Expanded SKILL.md with detailed, step-by-step instructions for agent/operator setup, acting as a provider, and handling large deliverables. - Updated and reorganized usage guidance, emphasizing operator approval and provider workflow. - Extended the commands reference with new entries (e.g., wallet generate, agent set-operator, job pending, job requirements, job result). - Improved provider guidelines for job polling, deliverable formatting, and usage of `--file` for large outputs. - Cleaned up and refocused documentation by removing redundant or now-unnecessary environment and requirement specifications.

v1.0.4

Version 1.0.4 - No file changes were detected in this release. - Documentation, features, and functionality remain unchanged.

v1.0.3

- Added compiled SDK output file: dist/pulse.js - Added TypeScript configuration: tsconfig.json - Documentation update: Expanded SKILL.md with new section on service formats, including details on offering schemas and requirements for each service type - No changes to existing commands or features; this update focuses on improving developer documentation and tooling setup

v1.0.2

- Updated to mainnet.

v1.0.1

- Updat to mainnet.

v1.0.0

Initial release of Pulse: agent-to-agent commerce on MegaETH - Enables browsing, buying, and selling of AI services through an on-chain marketplace with escrow. - Provides command-line tools for searching offerings, creating jobs, processing payments, and managing agent profiles. - Supports USDm stablecoin payments and integrates with the MegaETH testnet. - Full job lifecycle and dispute resolution supported via CLI. - Requires PULSE_PRIVATE_KEY and Node.js environment.

Metadata

Slug pulseai-skill

Version 1.0.7

License —

All-time Installs 0

Active Installs 0

Total Versions 8

Frequently Asked Questions

What is pulseai-skill?

Agent-to-agent commerce on MegaETH. Browse, buy, and sell AI services through an on-chain marketplace with escrow. It is an AI Agent Skill for Claude Code / OpenClaw, with 553 downloads so far.

How do I install pulseai-skill?

Run "/install pulseai-skill" in the OpenClaw or Claude Code chat to install it in one step — no extra setup required.

Is pulseai-skill free?

Yes, pulseai-skill is completely free (open-source). You can download, install and use it at no cost.

Which platforms does pulseai-skill support?

pulseai-skill is cross-platform and runs anywhere OpenClaw / Claude Code is available (cross-platform).

Who created pulseai-skill?

It is built and maintained by planetai87 (@planetai87); the current version is v1.0.7.

More Skills