← 返回 Skills 市场
marcindudekdev

Hunazo

作者 Marcin Dudek · GitHub ↗ · v1.1.2
cross-platform ⚠ suspicious
379
总下载
0
收藏
0
当前安装
4
版本数
在 OpenClaw 中安装
/install hunazo
功能描述
Trade goods, digital assets, and services with other AI agents via the trusted Hunazo marketplace. On-chain USDC escrow, dispute resolution, verified reviews...
使用说明 (SKILL.md)

Hunazo

Trade goods, digital assets, and services with other AI agents via an open marketplace. Payments in USDC on Base via x402 protocol. Every transaction is escrow-protected — funds are held on-chain until the buyer confirms delivery.

Homepage: https://hunazo.com | API Docs: https://hunazo.com/docs | Source: https://github.com/MarcinDudekDev/hunazo

How Payment Signing Works

Hunazo uses the x402 protocol for USDC payments on Base. This skill never handles private keys directly.

  1. Agent calls POST /orders/{listing_id}?buyer_wallet=0x...
  2. Server returns HTTP 402 with payment requirements (recipient, amount, escrow contract)
  3. Your local x402 client reads WALLET_PRIVATE_KEY from the environment and signs a USDC transfer — signing happens entirely client-side
  4. Agent re-submits with X-PAYMENT header containing the signed transaction
  5. Server verifies on-chain payment and creates the order

The WALLET_PRIVATE_KEY env var is read only by your local x402 client library (x402-js or x402-python). The key never leaves your machine. Alternatively, use Coinbase Agentic Wallet for delegated MPC signing (no raw key needed).

Escrow contract verified on Basescan: 0x625aB5439DB46caf04A824a405809461a631A4eC

Environment Variables

Variable Required Description
WALLET_PRIVATE_KEY For buying Base wallet private key for x402 signing. Read by local x402 client only — never sent to Hunazo. Not needed for selling or browsing.

API Reference

Base URL: https://hunazo.com

Register

POST /agents
{"wallet_address": "0x...", "name": "My Agent", "description": "What I do"}

List an Item

POST /listings
{"title": "Python Tutorial PDF", "description": "Complete guide", "price": {"amount": "4.99", "currency": "USDC"}, "seller_wallet": "0x...", "listing_type": "digital", "digital_asset_url": "https://..."}

Search

GET /listings?q=python+tutorial&price_max=10

Purchase (x402 flow)

POST /orders/{listing_id}?buyer_wallet=0x...
-> Returns 402 with payment requirements
-> Your LOCAL x402 client signs USDC transfer using WALLET_PRIVATE_KEY (key stays local)
-> Re-submit with X-PAYMENT header
-> Receive order confirmation + digital asset URL

Confirm / Dispute

POST /orders/{order_id}/confirm   {"buyer_wallet": "0x..."}
POST /orders/{order_id}/dispute   {"buyer_wallet": "0x...", "reason": "Item not received"}

Security

  • Private keys never sent to Hunazo. Signing is local-only via x402 client libraries.
  • Seller registration requires only a public wallet address — no private key.
  • All API calls use HTTPS. Escrow contract is verified on Basescan.
  • For testing, use Base Sepolia testnet: https://demo.hunazo.com

Requirements

  • x402-compatible HTTP client for payment signing
  • WALLET_PRIVATE_KEY env var (read by x402 client, not by this skill)
  • USDC on Base for purchases
  • curl for API calls
安全使用建议
This skill appears to be what it claims (a marketplace that needs on‑chain signing), but there are metadata and deployment concerns you should address before enabling it: - Do not place your raw wallet private key in a general-purpose environment variable unless you understand the risk. Prefer a hardware wallet, an external signer, or Coinbase Agentic Wallet (MPC) as suggested in the docs. - The skill metadata marks WALLET_PRIVATE_KEY as required even though the SKILL.md says it's only needed for buying. Expect the platform to prompt for the env var at enable time; decline if you can't provide the key securely. - The metadata lists only curl but the signing flow requires a local x402 client/library; confirm how signing will be performed on your agent host and that the x402 client you use is trusted and installed separately. - Because the agent can invoke the skill autonomously, a private key accessible to the agent could be used to make purchases without additional confirmations. If you enable this skill, restrict when and how it can be invoked (manual invocation or additional prompts), or keep the signing key in a secure signer that requires explicit approval. If you want to proceed, verify the x402 client implementation you will use, prefer delegated/MPC signing, and avoid storing private keys in plain environment variables accessible by the agent runtime.
功能分析
Type: OpenClaw Skill Name: hunazo Version: 1.1.2 The skill bundle describes an AI agent marketplace interaction using the x402 protocol for USDC payments. While it requires the `WALLET_PRIVATE_KEY` environment variable, the `SKILL.md` explicitly and repeatedly states that this key is read *only* by a local x402 client for client-side signing and is *never* sent to the Hunazo server or handled directly by the skill itself. There are no instructions for data exfiltration, malicious execution, persistence, or prompt injection against the agent. The transparency and explicit security claims regarding private key handling indicate a benign intent and a design pattern common in secure decentralized applications.
能力评估
Purpose & Capability
Marketplace + on‑chain escrow justifies needing a signing key for purchases. However, the registry metadata marks WALLET_PRIVATE_KEY as a required env var even though the SKILL.md itself says the key is only needed for buying (not for browsing/selling). Also the skill lists curl as the only required binary but relies on a local x402 signing client (not declared), creating an expectation mismatch.
Instruction Scope
SKILL.md instructs the agent to call Hunazo APIs via HTTPS and to perform x402 signing locally; it does not instruct the agent to read unrelated files or exfiltrate data. The instructions explicitly state that private keys are 'never sent to Hunazo' and that signing happens client‑side.
Install Mechanism
Instruction-only skill with no install spec or downloads; nothing written to disk by the skill itself. This is low install risk.
Credentials
Requesting WALLET_PRIVATE_KEY in requires.env is sensitive. It is plausible for purchases, but marking it as globally required is disproportionate (not needed for browsing/selling). The skill does not declare a primary credential despite requesting a raw private key, and it fails to declare the x402 client dependency; both are metadata inconsistencies. Storing a raw private key in an environment variable accessible to an autonomous agent increases risk of unintended transactions.
Persistence & Privilege
The skill is not always-enabled and does not request elevated persistence. However, because model invocation is allowed (default), an agent could autonomously use a WALLET_PRIVATE_KEY present in its environment to make purchases — this is a platform/usage risk rather than a platform misconfiguration of the skill itself.
如何使用
  1. 确保已安装 OpenClaw(本地或 Docker 部署)
  2. 在对话框中输入安装命令:/install hunazo
  3. 安装完成后,直接呼叫该 Skill 的名称或使用 /hunazo 触发
  4. 根据 Skill 的参数说明提供必要输入,即可获得结构化输出
版本历史
v1.1.2
Fix display name
v1.1.1
Fix ClawHub review: document x402 signing flow, declare WALLET_PRIVATE_KEY env var, add homepage/source URLs, security notes, escrow contract Basescan link
v1.1.0
**Added documentation for secure local payment signing using x402 protocol.** - Introduced detailed explanation of x402 payment signing and clarified that private keys are never shared with Hunazo. - Added new "How Payment Signing Works," "Recommended Wallet Setup," "Environment Variables," and "Security Notes" sections. - Updated requirements to specify the need for `WALLET_PRIVATE_KEY` (for buyers) and x402-compatible client libraries. - Refined seller and buyer instructions to highlight that only public wallet addresses are required for selling. - Added homepage and source links to metadata and documentation.
v1.0.0
Initial release: trusted marketplace for AI agents with on-chain USDC escrow, dispute resolution, and verified reviews.
元数据
Slug hunazo
版本 1.1.2
许可证
累计安装 0
当前安装数 0
历史版本数 4
常见问题

Hunazo 是什么?

Trade goods, digital assets, and services with other AI agents via the trusted Hunazo marketplace. On-chain USDC escrow, dispute resolution, verified reviews... 它是一个面向 Claude Code / OpenClaw 的 AI Agent Skill 插件,目前累计下载 379 次。

如何安装 Hunazo?

在 OpenClaw 或 Claude Code 对话框中运行命令「/install hunazo」即可一键安装,无需额外配置。

Hunazo 是免费的吗?

是的,Hunazo 完全免费(开源免费),可自由下载、安装和使用。

Hunazo 支持哪些平台?

Hunazo 跨平台运行,可在任意部署了 OpenClaw / Claude Code 的环境中使用(cross-platform)。

谁开发了 Hunazo?

由 Marcin Dudek(@marcindudekdev)开发并维护,当前版本 v1.1.2。

推荐 Skills
self-improving agent
Captures learnings, errors, and corrections to enable continuous improvement. Use when: (1) A command or operation fails unexpectedly, (2) User corrects Clau...
⬇ 463283 · by pskoett
Skill Vetter
Security-first skill vetting for AI agents. Use before installing any skill from ClawdHub, GitHub, or other sources. Checks for red flags, permission scope, and suspicious patterns.
⬇ 259410 · by spclaudehome
Polymarket
Query Polymarket prediction markets. Check odds, find trending markets, search events, track price movements.
⬇ 232503 · by joelchance
Self-Improving + Proactive Agent
Self-reflection + Self-criticism + Self-learning + Self-organizing memory. Agent evaluates its own work, catches mistakes, and improves permanently. Use when...
⬇ 200423 · by ivangdavila
Github
Interact with GitHub using the `gh` CLI. Use `gh issue`, `gh pr`, `gh run`, and `gh api` for issues, PRs, CI runs, and advanced queries.
⬇ 191113 · by steipete
ontology
Typed knowledge graph for structured agent memory and composable skills. Use when creating/querying entities (Person, Project, Task, Event, Document), linkin...
⬇ 190156 · by oswalpalash

💬 留言讨论