功能描述

Send and receive encrypted messages and manage handshakes on the Kaspa blockchain using Kasia protocol and mcporter tools.

使用说明 (SKILL.md)

Kasia — Encrypted Messaging on Kaspa

Name: Kasia
Author: renkasiyas

Send and receive encrypted messages on the Kaspa blockchain via the Kasia protocol. Uses mcporter to call kasia-mcp tools.

Prerequisites

mcporter installed (npm install -g mcporter)
kasia-mcp built and configured in config/mcporter.json
kaspa-mcp configured (same wallet) — needed to broadcast transactions
Wallet mnemonic or private key set in mcporter config

Run scripts/setup.sh to configure automatically:

scripts/setup.sh /path/to/kasia-mcp --mnemonic "your twelve word phrase" --network mainnet

Verify: mcporter list kasia (should show 8 tools)

Tools

Call via mcporter call kasia.\x3Ctool> from the workspace directory.

Read Operations (no transaction needed)

Tool	Purpose	Example
`kasia_get_conversations`	List all conversations + status	`mcporter call kasia.kasia_get_conversations`
`kasia_get_requests`	Pending incoming handshakes	`mcporter call kasia.kasia_get_requests`
`kasia_get_messages`	Read decrypted messages	`mcporter call kasia.kasia_get_messages address="kaspa:q..."`
`kasia_read_self_stash`	Read encrypted private data	`mcporter call kasia.kasia_read_self_stash scope="notes"`

Write Operations (two-step: generate payload → broadcast)

Write tools return a payload and instructions. Broadcast with kaspa.send_kaspa:

# Step 1: Generate payload
mcporter call kasia.kasia_send_handshake address="kaspa:q..."
# Returns: { action, to, amount, payload, instructions }

# Step 2: Broadcast (use the returned values)
mcporter call 'kaspa.send_kaspa(to: "kaspa:q...", amount: "0.2", payload: "\x3Chex>")'

Tool	Purpose
`kasia_send_handshake`	Start a conversation with someone
`kasia_accept_handshake`	Accept an incoming handshake request
`kasia_send_message`	Send an encrypted message in an active conversation
`kasia_write_self_stash`	Store encrypted private data on-chain

Conversation Flow

Check requests: kasia_get_requests — see pending incoming handshakes
Start or accept: kasia_send_handshake or kasia_accept_handshake → broadcast with kaspa.send_kaspa
Chat: kasia_send_message → broadcast. Read replies with kasia_get_messages
Pay: Use kaspa.send_kaspa directly for payments (no Kasia-specific tool needed)

Conversation Status

pending_outgoing — You sent a handshake, waiting for acceptance
pending_incoming — Someone sent you a handshake, needs acceptance
active — Both sides completed handshake, can exchange messages

Background Polling

For real-time message relay, set up a background poller:

Create a polling script that calls kasia_get_messages every N seconds
Track seen transaction IDs to avoid duplicates
Write new messages to a file (e.g., memory/kasia-new-messages.jsonl)
Use a cron job or heartbeat check to relay new messages to the user

See references/protocol.md for the full protocol specification and indexer API details.

Important

Mainnet only — kasia-mcp enforces mainnet (messaging isn't available on testnet)
Two-step writes — Write tools generate payloads; you must broadcast with kaspa.send_kaspa
Same wallet — kasia-mcp and kaspa-mcp must use the same mnemonic/key
Costs KAS — Every message is a transaction (~0.2 KAS minimum per tx)

安全使用建议

This skill appears to do what it claims (on‑chain encrypted messaging), but it asks you to supply and stores your wallet mnemonic and to build/run code from a local kasia-mcp repository. Before installing or running: - Treat the mnemonic as highly sensitive. Do not paste a real/mainnet mnemonic on a machine or shell you don't fully control. Prefer a throwaway wallet for testing. Avoid passing secrets on the command line (shell history/process lists). - The setup script writes the mnemonic into mcporter's config file in plaintext (~/.openclaw/workspace/config/mcporter.json or ./config/mcporter.json). Inspect that file after setup and ensure its filesystem permissions are restricted. - Building kasia-mcp runs npm install/npm run build in the provided path. That can execute arbitrary package scripts. Only build code from sources you trust; review the kasia-mcp package.json and build scripts first. - The skill's docs reference an indexer API (https://indexer.kasia.fyi). Although payloads are encrypted, the indexer could still collect metadata. If you are privacy‑sensitive, review or self‑host the indexer before using mainnet. - The registry metadata does not declare the mnemonic/env requirement—this is an omission. If you need to use real funds, ask the author to document required secrets and config paths explicitly, provide verification of the kasia-mcp code, or run the skill in an isolated environment. If uncertain: test with a throwaway wallet on a separate machine/container and inspect the generated mcporter config and the kasia-mcp code before trusting real funds or long‑term keys.

功能分析

Type: OpenClaw Skill Name: kasia Version: 1.0.0 The `scripts/setup.sh` file contains a critical shell injection vulnerability. User-provided arguments such as `--mnemonic`, `--network`, and `--indexer-url` are directly interpolated into a `python3 -c` command without proper sanitization. This allows for arbitrary code execution (RCE) if an attacker can control these arguments, for example, by crafting a malicious mnemonic phrase. While this is a severe vulnerability, the script's stated purpose is configuration, and there is no clear evidence of intentional malicious behavior (e.g., data exfiltration or backdoor installation) within the skill bundle itself, classifying it as suspicious rather than malicious.

能力评估

ℹ Purpose & Capability

Name/description (Kasia encrypted messaging via mcporter/kaspa) match the included tooling and docs: the skill expects a local kasia-mcp and kaspa-mcp, generates payloads, and requires broadcasting via kaspa.send_kaspa. However, SKILL.md and registry metadata declare no required credentials/config paths while the runtime instructions and setup.sh clearly require and store a wallet mnemonic (KASPA_MNEMONIC) and may set an indexer URL — this mismatch is notable.

⚠ Instruction Scope

The SKILL.md and scripts/setup.sh instruct the user to run a setup script that: (a) accepts a wallet mnemonic on the command line, (b) writes the mnemonic into the mcporter config JSON (potentially at ./config/mcporter.json or $HOME/.openclaw/workspace/config/mcporter.json) in plaintext, (c) runs npm install/npm run build inside the supplied kasia-mcp path, and (d) recommends background polling that writes messages to a file. All steps are consistent with implementing the feature, but they expose very sensitive secrets (mnemonic) and ask the agent to read/write config and files that were not declared up‑front. Passing the mnemonic on the command line also risks leakage via shell history or process listing.

⚠ Install Mechanism

There is no formal install spec (instruction-only), but scripts/setup.sh will run npm install and npm run build in the user-supplied kasia-mcp directory. Building arbitrary code invokes package scripts and can execute arbitrary commands (supply‑chain risk). The skill itself does not download remote archives, but it will cause local build/installation of third‑party code if the user follows instructions.

⚠ Credentials

The runtime requires a wallet mnemonic/private key (KASPA_MNEMONIC) and may set KASIA_INDEXER_URL, but the registry metadata declared no required env vars or primary credential. Requesting and storing a full wallet mnemonic is proportional to on‑chain signing needs, but it is sensitive and should be explicitly declared and justified. The skill stores the secret in a user config JSON in plaintext — a high‑sensitivity action that should be highlighted to users.

ℹ Persistence & Privilege

always:false (normal). The setup script persists configuration by creating/modifying the mcporter config file and adding a 'kasia' mcpServer entry that invokes node <path>/dist/index.js. Modifying the user's mcporter config is expected for this feature, but it grants persistent capability and stores secrets — users should be aware and verify the config location and permissions.

版本历史

v1.0.0

Initial release — on-chain encrypted messaging for Kaspa via Kasia protocol

元数据

Slug kasia

版本 1.0.0

许可证 —

累计安装 0

当前安装数 0

历史版本数 1

常见问题

Kasia 是什么？

Send and receive encrypted messages and manage handshakes on the Kaspa blockchain using Kasia protocol and mcporter tools. 它是一个面向 Claude Code / OpenClaw 的 AI Agent Skill 插件，目前累计下载 778 次。

如何安装 Kasia？

在 OpenClaw 或 Claude Code 对话框中运行命令「/install kasia」即可一键安装，无需额外配置。

Kasia 是免费的吗？

是的，Kasia 完全免费（开源免费），可自由下载、安装和使用。

Kasia 支持哪些平台？

Kasia 跨平台运行，可在任意部署了 OpenClaw / Claude Code 的环境中使用（cross-platform）。

谁开发了 Kasia？

由 renkasiyas（@renkasiyas）开发并维护，当前版本 v1.0.0。

Kasia