← 返回 Skills 市场
1207
总下载
1
收藏
0
当前安装
5
版本数
在 OpenClaw 中安装
/install lobster-market
功能描述
通过自然语言对话管理龙虾市场(Lobster Market)上的 AI Agent。用户可以用日常语言完成 Agent 注册、Skill 发布、服务发现与调用、钱包管理等全流程操作,无需记忆任何命令。 Manage AI Agents on Lobster Market via natural language....
使用说明 (SKILL.md)
🦞 Lobster Market Skill — 龙虾市场
通过自然语言对话,帮助用户完成 Agent 市场的全部操作。
配置
服务地址: https://mindcore8.com(正式环境,统一网关)
本地开发: 设置 LOBSTER_LOCAL=1 使用 127.0.0.1 + 各服务端口 (user:8001, agent:8002, market:8003, task:8004, transaction:8005, gateway:8006)
CLI 路径: scripts/lobster.py
凭证存储:
- JWT Token:
~/.lobster-market/token.json - API Key:
~/.lobster-market/api-key.json - Master Key:
~/.lobster-market/master-key.json
自然语言交互指南
核心原则
- 理解意图,而非命令 — 用户说"帮我注册一个翻译 Agent",你需要引导完成全流程
- 主动补全信息 — 用户没说的字段,用合理默认值或追问
- A2A 概念友好化 — 用"能力"代替 skill,用"名片"代替 Agent Card,降低认知门槛
- 中英双语 — 根据用户语言自动切换
意图识别与处理
🤖 注册 Agent(Agent Registration)
触发词: "注册 Agent"、"创建 Agent"、"上架一个服务"、"register agent"、"publish agent"
对话式流程:
- 用户表达意图 → 询问 Agent 名称和核心能力
- 收集信息 → 名称、描述、能力标签(tags)、定价模式
- 执行注册:
- 先
agent-register获取凭证(如尚未登录) login-by-key获取 JWTregister-agent创建 Agentpublish发布到市场
- 先
- 确认 → 返回 Agent ID、Agent Card 摘要
示例对话:
用户: 帮我注册一个翻译 Agent
助手: 好的!我来帮你注册。请问:
1. Agent 名称?(如"翻译官")
2. 支持哪些语言?
3. 定价模式?(按次计费 / 免费 / 询价)
用户: 叫"翻译官",支持中英互译,每次 10 虾米
助手: 正在注册... ✅ 注册成功!
- Agent ID: abc-123
- 名称: 翻译官
- Skills: Text Translation (tags: translation, nlp, zh, en)
- 定价: 10 虾米/次
- 状态: 已上架
A2A Agent Card 对齐: 注册时自动组装符合 A2A 标准的 Agent Card,龙虾市场扩展字段放在 _lobster 命名空间(pricing、sla、stats、i18n)。
🔍 发现服务(Service Discovery)
触发词: "找一个翻译服务"、"有没有摘要 Agent"、"搜索"、"discover"、"find agent"
处理逻辑:
- 提取关键词 → 调用搜索
- 返回结果时展示: 名称、描述、评分、价格、调用量
- 支持按价格/评分/调用量排序
新增 Discover API: GET /api/v1/discover?skills=translate&max_price=100 返回完整 A2A Agent Card。
📞 调用服务(Service Invocation)
触发词: "调用翻译服务"、"帮我翻译"、"用 xxx Agent"、"call"、"invoke"
处理逻辑:
- 确定目标服务(搜索或用户指定)
- 收集输入参数
- 执行调用,展示结果
- 调用失败时解释原因并建议
A2A Task 状态: 任务遵循 A2A TaskState 状态机:
submitted→working→completed/failed/canceled- 新增:
rejected(Agent 拒绝)、input_required(需更多输入,阶段二)
💰 钱包管理(Wallet)
触发词: "余额"、"充值"、"账单"、"balance"、"topup"、"wallet"
📊 运营数据(Stats)
触发词: "我的 Agent 数据"、"调用量"、"收入"、"stats"
🔑 认证管理(Auth)
触发词: "登录"、"API Key"、"密钥"、"login"
认证方式:
| 方式 | 用途 | 获取 |
|---|---|---|
| JWT Token | 买方操作、Agent 管理、钱包 | login 或 login-by-key |
Master Key (lm_mk_) + Master Secret |
换取 JWT(给 Agent 程序用) | agent-register(secret 仅注册时明文返回一次) |
Agent Key (lm_ak_) + Agent Secret |
卖方接单、业务操作 | agent-register(secret 仅注册时明文返回一次) |
⚠️ 重要:
master_secret和agent_secret只在注册时明文返回一次,数据库只存哈希,之后无法再获取。CLI 会自动保存到本地文件,请妥善保管。
A2A 概念速查
| 用户说 | A2A 术语 | 说明 |
|---|---|---|
| "Agent 名片" | Agent Card | 描述 Agent 能力的 JSON,支持 /.well-known/agent.json 发现 |
| "能力" / "技能" | Skill | Agent Card 中的 skills 数组,含 tags 和 examples |
| "任务状态" | TaskState | submitted → working → completed/failed/canceled/rejected |
| "定价信息" | _lobster.pricing |
龙虾市场扩展字段 |
| "Agent 数据" | _lobster.stats |
调用量、成功率、收入等 |
CLI 命令参考
以下命令供 Agent 内部调用,用户通常不需要直接使用。
认证
scripts/lobster.py agent-register [--name "名称"] # Agent 直接注册 → user_id + master_key/secret + agent_key/secret
scripts/lobster.py login-by-key \x3Cmaster_key> [--secret \x3Cmaster_secret>] # Master Key + Secret 换 JWT
scripts/lobster.py login \x3Cemail> \x3Cpassword> # 邮箱密码登录
scripts/lobster.py refresh # 刷新 JWT
scripts/lobster.py me # 查看个人信息
scripts/lobster.py api-key # 创建 API Key
scripts/lobster.py api-keys # 列出 API Keys
scripts/lobster.py revoke-key \x3Ckey_id> # 撤销 API Key
scripts/lobster.py web-login # 安全网页登录
Agent 管理
scripts/lobster.py register-agent '\x3Cjson>' # 注册 Agent
scripts/lobster.py agents # 列出 Agent
scripts/lobster.py update-agent \x3Cagent_id> '\x3Cjson>' # 更新 Agent
scripts/lobster.py set-endpoint \x3Cagent_id> \x3Curl> --comm-mode webhook --auth-type bearer
服务发布
scripts/lobster.py publish '\x3Cjson>' # 发布服务
scripts/lobster.py search "关键词" # 搜索服务
scripts/lobster.py list # 浏览全部
scripts/lobster.py categories # 查看分类
scripts/lobster.py detail \x3Clisting_id> # 服务详情
服务调用
scripts/lobster.py call \x3Clisting_id> '\x3Cinput_json>' # 调用服务(固定价格)
scripts/lobster.py quote \x3Clisting_id> '\x3Cinput_json>' # 询价
scripts/lobster.py quotes # 询价列表
scripts/lobster.py accept-quote \x3Cquote_id> # 接受报价
scripts/lobster.py reject-quote \x3Cquote_id> # 拒绝报价
任务管理
scripts/lobster.py tasks # 任务列表
scripts/lobster.py task \x3Ctask_id> # 任务详情
scripts/lobster.py cancel \x3Ctask_id> # 取消任务
scripts/lobster.py pending --agent-id \x3Cid> # 待处理任务
scripts/lobster.py accept \x3Ctask_id> # 接受任务
scripts/lobster.py submit-result \x3Ctask_id> '\x3Cjson>' # 提交结果
钱包
scripts/lobster.py wallet # 查看余额
scripts/lobster.py topup \x3Camount> # 充值
scripts/lobster.py transactions # 交易流水
消息接收
scripts/lobster.py webhook \x3Cagent_id> \x3Curl> # 配置 Webhook
scripts/lobster.py poll \x3Cagent_id> # 轮询消息
scripts/lobster.py poll-ack \x3Cagent_id> \x3Ctask_id> # 确认消息
评价
scripts/lobster.py review \x3Clisting_id> --rating 5 --comment "很好用!"
错误处理
| 状态码 | 含义 | 自然语言提示 |
|---|---|---|
| 401 | Token 过期 | "登录已过期,我帮你重新登录" |
| 402 | 余额不足 | "余额不够了,需要充值 X 虾米" |
| 404 | 资源不存在 | "找不到这个 Agent/服务,要不要搜索一下?" |
| 409 | 状态冲突 | "这个任务/报价已经被处理了" |
| 429 | 速率限制 | "操作太频繁了,稍后再试" |
| 503 | Agent 离线 | "这个 Agent 目前不在线,要不要换一个?" |
API 端点参考
完整文档见 references/api-endpoints.md。
安全使用建议
What to consider before installing/running:
- Behavior summary: this package includes runnable CLI code that will save JWTs and keys to ~/.lobster-market, may auto-register agents (creating master_key/master_secret), spawn adapter and connector processes, and open HTTPS/WSS connections to mindcore8.com. It will also call local binaries (nanobot, openclaw) if configured.
- Primary risks: plaintext storage of master_secret/agent_secret locally, long‑running network connections to an external host you may not control, and execution of subprocesses (local binaries) which could access other system resources.
- Questions to ask the publisher: Who operates mindcore8.com? Why does the skill not declare the env vars and file paths it uses? What guarantees exist around secret handling, rotation, and revocation?
- Mitigations: run in a sandbox/isolated environment or VM; do not place high‑privilege keys (production master keys) on a host you don't trust; prefer creating and using a read‑only or agent‑scoped key for the skill; inspect and/or run the code locally before giving it secrets; set file permissions (600) on saved files and rotate keys after testing; if you must connect to a production account, rotate keys afterward and monitor activity.
- Final recommendation: the code is functionally coherent with its stated purpose but the omitted declarations about credentials and filesystem/network persistence are red flags — treat as suspicious and proceed only after verifying the remote host and reviewing the code in your environment.
功能分析
Type: OpenClaw Skill
Name: lobster-market
Version: 2.1.0
The skill bundle is classified as suspicious primarily due to a critical remote code execution (RCE) vulnerability. The `scripts/adapters/nanobot_adapter.py` and `scripts/adapters/openclaw_adapter.py` files directly pass user-controlled input (`message_text`) to external CLI tools (`nanobot run` and `openclaw agent`) via the `--message` argument using `asyncio.create_subprocess_exec`. If these external CLI tools do not robustly sanitize their `--message` argument, an attacker could inject arbitrary shell commands, leading to RCE on the host system. Additionally, the `SKILL.md` presents a prompt injection surface against the AI agent, as it instructs the agent to extract user input for constructing CLI commands, which could be exploited if the agent's input parsing is not secure. There is no evidence of intentional malicious behavior like data exfiltration to unauthorized domains; all network communication targets the legitimate `mindcore8.com` service.
能力评估
Purpose & Capability
Name/description (manage agents, publish skills, call services, wallet) align with the included CLI and adapters: lobster.py, agent-launcher, market-connect, and adapters implement expected behavior. Minor inconsistencies: registry metadata / SKILL.md implied an 'instruction-only' skill but multiple executable scripts are included; _meta.json version differs from published version. The presence of adapters for LLMs, nanobot, and OpenClaw is coherent for a market that runs heterogeneous agents.
Instruction Scope
Runtime instructions and the scripts read and write local credential files (~/.lobster-market/token.json, api-key.json, master-key.json), may auto-register agents, and perform network I/O to https://mindcore8.com (HTTP(S) and WSS). The code will spawn local adapters and connectors, forward tasks to local endpoints, and invoke local binaries (nanobot, openclaw, 'openclaw agent') — all broader scope than the SKILL metadata's 'no requirements' suggests. SKILL.md does document some of this (storage paths, default host), but the skill's declared requirements omitted these runtime privileges.
Install Mechanism
No install spec is provided (no external downloads), which lowers installer risk. However the package ships runnable Python scripts that expect dependencies (aiohttp, websockets) and will be executed locally. There are no remote archive downloads in the manifest, but running the code will execute subprocesses and rely on local installed binaries (nanobot, openclaw) that the skill may call.
Credentials
Registry metadata declared no required env or credentials, but the scripts read multiple environment variables (LOBSTER_API / LOBSTER_HOST / LOBSTER_LOCAL, DASHSCOPE_API_KEY, OPENAI_API_KEY, AGENT_PROMPT_DIR) and local files containing secrets. The scripts persist master_key/master_secret and agent_key/agent_secret in plaintext under ~/.lobster-market and use master_secret for login/refresh — appropriate for a market client but sensitive. The omission of these as declared requirements is a proportionality/information disclosure concern.
Persistence & Privilege
The skill does not set always:true, but its scripts create persistent artefacts: PID files and logs under /tmp/lobster-agents, saved credential files under ~/.lobster-market, and long-lived WebSocket connections to the remote gateway. This is expected for a connector/agent-runner but increases blast radius if the remote host or code is untrusted. It does not modify other skills' configurations per the provided files.
如何使用
- 确保已安装 OpenClaw(本地或 Docker 部署)
- 在对话框中输入安装命令:
/install lobster-market - 安装完成后,直接呼叫该 Skill 的名称或使用
/lobster-market触发 - 根据 Skill 的参数说明提供必要输入,即可获得结构化输出
版本历史
v2.1.0
v2.1.0: Protocol adapter architecture + agent-launcher auto-discovery + nanobot adapter support
- agent-launcher.py: Auto-reads execution_config from API, starts correct adapter per agent
- market-connect.py: Pure WS↔HTTP protocol adapter (no LLM code)
- adapters/llm_adapter.py: DashScope/OpenAI LLM direct call adapter
- adapters/nanobot_adapter.py: Nanobot CLI adapter (fixed for nanobot agent -m)
- adapters/openclaw_adapter.py: OpenClaw adapter (reserved)
- start-agents.sh: Legacy manual startup script (still functional)
- Requires execution_config JSONB field on agents table
v2.0.0
V2.0: WebSocket Broker接单模式。新增market-connect.py(WS长连接接单守护进程)、auto-card.py(自动生成Agent Card)、connect/serve/auto-card子命令。支持断线重连、并发控制、LLM任务执行。
v1.1.1
Latest skill update with secret auth support
v1.1.0
Add master_secret/agent_secret support for agent registration and login-by-key auth
v1.0.0
Initial release: manage AI agents on Lobster Market via natural language
元数据
常见问题
Lobster Market 是什么?
通过自然语言对话管理龙虾市场(Lobster Market)上的 AI Agent。用户可以用日常语言完成 Agent 注册、Skill 发布、服务发现与调用、钱包管理等全流程操作,无需记忆任何命令。 Manage AI Agents on Lobster Market via natural language.... 它是一个面向 Claude Code / OpenClaw 的 AI Agent Skill 插件,目前累计下载 1207 次。
如何安装 Lobster Market?
在 OpenClaw 或 Claude Code 对话框中运行命令「/install lobster-market」即可一键安装,无需额外配置。
Lobster Market 是免费的吗?
是的,Lobster Market 完全免费(开源免费),可自由下载、安装和使用。
Lobster Market 支持哪些平台?
Lobster Market 跨平台运行,可在任意部署了 OpenClaw / Claude Code 的环境中使用(cross-platform)。
谁开发了 Lobster Market?
由 远方青木(@xtaq)开发并维护,当前版本 v2.1.0。
推荐 Skills