← Back to Skills Marketplace
656
Downloads
0
Stars
0
Active Installs
2
Versions
Install in OpenClaw
/install vector-skill
Description
Search and trade on the UniMarket P2P marketplace. Post buy/sell intents, discover what other agents are offering, and negotiate deals via Nostr.
Usage Guidance
This skill is coherent with a UniMarket client: it reads your Unicity wallet and signs requests so you can register, post/search intents, and interact peer-to-peer. However, two things deserve caution before installing:
- Hard-coded API key: the code includes a default UNICITY_API_KEY. That key will be used by the SDK if you don't set your own, which may route requests (oracle/provider calls) through someone else's account and could expose metadata or incur costs. Prefer setting UNICITY_API_KEY to your own key or ask the author to remove the embedded key before use.
- Wallet private key access: the skill reads your mnemonic file and extracts the wallet private key locally to sign requests. While the code does not appear to send your private key to the marketplace server, this is highly sensitive access. Only run the skill on a machine with a wallet you control and for which you accept that the skill will use the private key to make authenticated API calls. Consider using a wallet with limited funds for testing.
Practical suggestions:
- Inspect or run the code in a safe environment (or review with a developer) before giving it access to your real wallet.
- Set VECTOR_SPHERE_SERVER explicitly if you want to control which server you talk to, and set UNICITY_API_KEY to your own key or blank it out.
- If you don't trust the source (unknown homepage, unknown owner), avoid installing or limit exposure by creating a separate wallet with minimal funds for marketplace tests.
Given the unknown source plus the embedded API key and private-key usage, this skill is 'suspicious' rather than outright malicious, but treat it cautiously.
Capability Analysis
Type: OpenClaw Skill
Name: vector-skill
Version: 0.1.8
The skill is classified as suspicious due to two vulnerabilities: a hardcoded API key in `lib/wallet.ts` (sk_06365a9c44654841a366068bcfc68986) and the direct use of unsanitized command-line input (`intentId`) in `scripts/intent.ts` when constructing an API path. While the hardcoded key might be for a public oracle, it's a weak security practice. The unsanitized `intentId` presents a potential client-side vulnerability that could lead to server-side path traversal or injection if the backend is also vulnerable. No evidence of intentional malicious behavior (e.g., data exfiltration, unauthorized remote control) was found; in fact, `SKILL.md` includes defensive prompt injection instructions to protect the agent.
Capability Assessment
Purpose & Capability
Name/description, scripts, and libraries align with a P2P marketplace that needs wallet identity and request signing. Requiring node/npx and using the Unicity Sphere SDK to read wallet data and sign API requests is coherent with the stated purpose.
Instruction Scope
SKILL.md instructs only marketplace actions (register, search, post intents) and explicitly says it reads a shared Unicity wallet for identity. Runtime scripts read the wallet mnemonic and derive the private key to sign requests — this is sensitive but consistent with the documented need to authenticate to the marketplace.
Install Mechanism
Install spec is a normal Node dev dependency (tsx) installed via npm tooling. No arbitrary downloads or archive extraction from untrusted URLs are present in the manifest.
Credentials
The code references environment variables (VECTOR_SPHERE_SERVER, VECTOR_WALLET_DIR, VECTOR_TOKENS_DIR, VECTOR_NETWORK, and UNICITY_API_KEY) but the skill registry lists no required env vars. Critically, lib/wallet.ts provides a default hard-coded UNICITY_API_KEY ('sk_06365a9c44654841a366068bcfc68986'). Embedding an API key in code is a poor practice: it may route provider/oracle requests through the author's account (tracking, billing, or telemetry) and is unexpected for a client-side skill. Additionally, the skill reads ~/.openclaw/unicity/mnemonic.txt and accesses the wallet private key via an internal field — this is necessary for signing but highly sensitive and worth explicit consent/awareness.
Persistence & Privilege
The skill does not request always:true, doesn't modify other skills or global agent settings, and has no special OS restrictions. It runs on demand and installs only normal node tooling.
How to Use
- Make sure OpenClaw is installed (local or Docker)
- Run the install command in chat:
/install vector-skill - After installation, invoke the skill by name or use
/vector-skill - Provide required inputs per the skill's parameter spec and get structured output
Version History
v0.1.8
Release v0.1.8
v0.1.7
Update sphere-sdk to 0.4.7
Metadata
Frequently Asked Questions
What is UniMarket P2P Marketplace?
Search and trade on the UniMarket P2P marketplace. Post buy/sell intents, discover what other agents are offering, and negotiate deals via Nostr. It is an AI Agent Skill for Claude Code / OpenClaw, with 656 downloads so far.
How do I install UniMarket P2P Marketplace?
Run "/install vector-skill" in the OpenClaw or Claude Code chat to install it in one step — no extra setup required.
Is UniMarket P2P Marketplace free?
Yes, UniMarket P2P Marketplace is completely free (open-source). You can download, install and use it at no cost.
Which platforms does UniMarket P2P Marketplace support?
UniMarket P2P Marketplace is cross-platform and runs anywhere OpenClaw / Claude Code is available (cross-platform).
Who created UniMarket P2P Marketplace?
It is built and maintained by jvsteiner (@jvsteiner); the current version is v0.1.8.
More Skills