NEAR Intents 1click Api

Universal cross-chain swap & bridge skill for OpenClaw using the NEAR Intents 1Click SDK. Supports 14+ blockchains including NEAR, Base, Ethereum, Solana, an...

This skill appears to implement a real 1Click/NEAR swap client, but there are important inconsistencies and high-impact behaviors to consider before installing: - Metadata mismatch: The skill manifest says there are no required environment variables, but the documentation and code expect sensitive variables (NEAR_ACCOUNT_ID / NEAR_PRIVATE_KEY, SENDER_* keys, optional ONE_CLICK_JWT). Treat that as a red flag: the registry will not prompt you for secrets but the skill needs them to run auto-mode. - Sensitive secret risk: If you provide NEAR_PRIVATE_KEY or SENDER_PRIVATE_KEY to this skill (e.g., via .env), the agent (or any code run from the skill) can perform on-chain transfers and potentially drain funds. Only provide private keys in a controlled, isolated environment you trust, and prefer manual mode when possible. - Prefer manual mode & small tests: Use 'manual' mode or test/dry-run options first, and experiment with tiny amounts on testnet or in test mode to validate behavior before any real funds. - Audit & verify endpoints: The code targets https://1click.chaindefuser.com and explorer.near-intents.org — verify these endpoints independently and confirm they match the official 1Click/NEAR Intents documentation and your threat model. - Install & dependency caution: There is no registry-install spec — the repo expects you to run npm install. Audit package.json / package-lock.json (and dependencies) before running npm install in privileged environments. - Fix metadata before trusting: Ask the skill author/maintainer to update the skill manifest to declare required env vars and describe auto-mode behavior, or avoid granting credentials until the manifest accurately reflects runtime needs. - Operational recommendations: Keep keys out of global/shared environments, run the skill in an isolated container/VM, consider using ephemeral keys with limited funds, and always require explicit user consent (and confirm refundAddress) before executing any swap. If you need, I can: list exactly where each env var is referenced in the code, extract all env variable names used, or suggest a minimal safe workflow (manual-only) to reduce risk.

Package: NEAR Intents (xpi) Version: 2.0.0 Description: Universal cross-chain swap & bridge powered by NEAR Intents 1Click SDK. Supports 14+ blockchains including NEAR, Base, Ethereum, Arbitrum, Solana, and Bitcoin. Production-ready with mandatory refund address protection. The NEAR Intents package (v2.0.0) provides a universal cross-chain swap and bridge functionality, primarily through the `executeIntent()` function in `index.ts`. This function integrates with the official `@defuse-protocol/one-click-sdk-typescript` and NEAR-JS libraries. A critical safety feature is implemented: mandatory `refundAddress` validation for cross-chain swaps originating from non-NEAR chains. If this address is not provided, the function explicitly throws an error, preventing potential fund loss. Sensitive credentials (NEAR private keys, 1-Click JWT) are correctly sourced from environment variables, which is a standard secure practice for server-side applications. Minor concerns include `scripts/generate-account.ts` writing a newly generated private key to `.env.example`. While intended as a template, this practice carries a risk of accidental exposure if not handled with extreme care. Additionally, `scripts/logic.ts` appears to be an alternative or incomplete implementation of core swap logic, relying on undeclared local modules (`./near-intents-lib`). Its presence is suspicious due to potential confusion or unintended execution paths, but its direct impact on the skill's primary functionality is limited as `index.ts` is the declared entrypoint. The package relies on trusted third-party APIs (Defuse Protocol, CoinGecko) for its core operations. Overall, the package demonstrates a strong focus on security in its primary execution path and documentation, outweighing the minor issues in auxiliary scripts.