← Back to Skills Marketplace
newfish

metabot

by Sunny Fung · GitHub ↗ · v1.0.0
cross-platform ⚠ suspicious
628
Downloads
2
Stars
0
Active Installs
1
Versions
Install in OpenClaw
/install metabot-basic
Description
MetaBot是基于 MetaID 协议的 AI Agent/Bot/机器人/智能体。本技能可用于 创建 MetaBot、设置 MetaBot 头像、发送 Buzz,发送链上信息。当用户在需要创建 Metabot,修改 MetaBot 头像,发送 buzz 信息时触发。需 Node.js >= 18、TypeSc...
Usage Guidance
This skill does what it claims (creates MetaBots, sets avatars, broadcasts Buzz) but handles highly sensitive material: it generates and stores BIP39 mnemonics and signs transactions. Before installing or running: 1) Inspect scripts/check_environment.sh to confirm what it will install or run (it may run npm install). 2) Be aware account.json (project root) will contain unencrypted mnemonics — treat that file as secret; consider placing the project in an isolated environment or encrypting the file. 3) Do not run these scripts on a machine with secrets you cannot afford to expose. 4) If you provide LLM API keys via .env, confirm getLLMConfigFromEnv behavior so keys are not accidentally written into account.json or logs. 5) Prefer testing in a disposable container/VM; review network endpoints (metalet.space, file.metaid.io) if you require stricter privacy. If you need more assurance, ask the author for explicit documentation of which environment variables are expected and whether mnemonics can be stored encrypted or avoided.
Capability Analysis
Type: OpenClaw Skill Name: metabot-basic Version: 1.0.0 The skill is classified as suspicious due to multiple Local File Disclosure/Inclusion (LFD/LFI) vulnerabilities. Specifically, `scripts/avatar.ts` (used by `scripts/create_agents.ts` and `scripts/create_avatar.ts`) allows reading arbitrary files via a user-controlled `filePath` parameter passed to `loadAvatarFromFilePath`, which uses `path.resolve` and `fs.readFileSync`. Similarly, `scripts/send_buzz.ts` allows reading arbitrary file content if the buzz message starts with `@` followed by a user-controlled `filePath`. These vulnerabilities could be exploited by an attacker to read sensitive files (e.g., credentials, private keys) from the agent's host system. Additionally, the skill handles highly sensitive data like mnemonics and LLM API keys, storing them in `account.json` at the project root, and `SKILL.md` instructs the AI agent to execute commands based on user input, which is a general prompt injection surface, though the LFD/LFI are more concrete vulnerabilities.
Capability Assessment
Purpose & Capability
The code implements wallet generation, MetaID registration, avatar upload and Buzz broadcast — all consistent with the described MetaBot capabilities. The dependencies (wallet libraries, crypto, metaid client, sharp) are appropriate for those features. Minor mismatch: SKILL.md and registry metadata list no required environment variables, but the code / references mention reading LLM config from .env (getLLMConfigFromEnv / account.llm defaults).
Instruction Scope
Runtime instructions and scripts will generate and persist BIP39 mnemonics and addresses to account.json at the project root, read/write userInfo.json and log/error.md, read arbitrary local files (avatar image paths and '@file' content for buzz), and make network calls to MetaID/MVC endpoints (e.g., metalet.space, file.metaid.io). SKILL.md instructs running scripts that may auto-run npm install via check_environment.sh. The skill reads and writes sensitive secrets (mnemonics) to disk in plaintext and will sign transactions — these behaviors are within the tool's purpose but are high-sensitivity and not explicitly declared in the registry metadata.
Install Mechanism
No registry install spec is provided (instruction-only), but package.json lists many npm dependencies including @metalet/utxo-wallet-service, meta-contract, bitcoin libs and sharp. The SKILL.md's check_environment.sh may run npm install locally. Using npm packages is expected here, but dependencies include native modules (sharp) and a beta wallet package; installing them should be reviewed and done in a controlled environment.
Credentials
The registry declares no required env vars, but the code references environment-sourced LLM config and .env/.env.local as defaults for account.llm. The skill also creates and stores unencrypted mnemonics in account.json at the project root (shared with other metabot skills). The absence of declared env vars and the practice of persisting cryptographic secrets in plaintext are disproportionate risks that the user must accept consciously.
Persistence & Privilege
always:false (normal). The skill writes persistent files (account.json, userInfo.json, log/error.md) in the project root and may migrate an existing metabot/account.json into root — this is consistent with its multi-skill data model but means the skill will permanently store sensitive secrets and metadata on disk under the project root.
How to Use
  1. Make sure OpenClaw is installed (local or Docker)
  2. Run the install command in chat: /install metabot-basic
  3. After installation, invoke the skill by name or use /metabot-basic
  4. Provide required inputs per the skill's parameter spec and get structured output
Version History
v1.0.0
metabot-basic 1.0.0 初始发布: - 提供创建 MetaBot(新生成助记词和账户信息,写入 account.json)功能。 - 支持为 MetaBot 设置头像(要求图片小于1MB)。 - 支持以任意 MetaBot 身份发送 Buzz 协议消息到 MVC 网络。 - 提供简单的命令行脚本:创建、批量创建、设置头像、发送 Buzz。 - 详细列举典型用法、环境依赖与执行方式。
Metadata
Slug metabot-basic
Version 1.0.0
License
All-time Installs 0
Active Installs 0
Total Versions 1
Frequently Asked Questions

What is metabot?

MetaBot是基于 MetaID 协议的 AI Agent/Bot/机器人/智能体。本技能可用于 创建 MetaBot、设置 MetaBot 头像、发送 Buzz,发送链上信息。当用户在需要创建 Metabot,修改 MetaBot 头像,发送 buzz 信息时触发。需 Node.js >= 18、TypeSc... It is an AI Agent Skill for Claude Code / OpenClaw, with 628 downloads so far.

How do I install metabot?

Run "/install metabot-basic" in the OpenClaw or Claude Code chat to install it in one step — no extra setup required.

Is metabot free?

Yes, metabot is completely free (open-source). You can download, install and use it at no cost.

Which platforms does metabot support?

metabot is cross-platform and runs anywhere OpenClaw / Claude Code is available (cross-platform).

Who created metabot?

It is built and maintained by Sunny Fung (@newfish); the current version is v1.0.0.

More Skills
self-improving agent
Captures learnings, errors, and corrections to enable continuous improvement. Use when: (1) A command or operation fails unexpectedly, (2) User corrects Clau...
⬇ 463283 · by pskoett
Skill Vetter
Security-first skill vetting for AI agents. Use before installing any skill from ClawdHub, GitHub, or other sources. Checks for red flags, permission scope, and suspicious patterns.
⬇ 259410 · by spclaudehome
Polymarket
Query Polymarket prediction markets. Check odds, find trending markets, search events, track price movements.
⬇ 232503 · by joelchance
Self-Improving + Proactive Agent
Self-reflection + Self-criticism + Self-learning + Self-organizing memory. Agent evaluates its own work, catches mistakes, and improves permanently. Use when...
⬇ 200423 · by ivangdavila
Github
Interact with GitHub using the `gh` CLI. Use `gh issue`, `gh pr`, `gh run`, and `gh api` for issues, PRs, CI runs, and advanced queries.
⬇ 191115 · by steipete
ontology
Typed knowledge graph for structured agent memory and composable skills. Use when creating/querying entities (Person, Project, Task, Event, Document), linkin...
⬇ 190156 · by oswalpalash

💬 Comments