← 返回 Skills 市场
metabot
作者
Sunny Fung
· GitHub ↗
· v1.0.0
628
总下载
2
收藏
0
当前安装
1
版本数
在 OpenClaw 中安装
/install metabot-basic
功能描述
MetaBot是基于 MetaID 协议的 AI Agent/Bot/机器人/智能体。本技能可用于 创建 MetaBot、设置 MetaBot 头像、发送 Buzz,发送链上信息。当用户在需要创建 Metabot,修改 MetaBot 头像,发送 buzz 信息时触发。需 Node.js >= 18、TypeSc...
安全使用建议
This skill does what it claims (creates MetaBots, sets avatars, broadcasts Buzz) but handles highly sensitive material: it generates and stores BIP39 mnemonics and signs transactions. Before installing or running: 1) Inspect scripts/check_environment.sh to confirm what it will install or run (it may run npm install). 2) Be aware account.json (project root) will contain unencrypted mnemonics — treat that file as secret; consider placing the project in an isolated environment or encrypting the file. 3) Do not run these scripts on a machine with secrets you cannot afford to expose. 4) If you provide LLM API keys via .env, confirm getLLMConfigFromEnv behavior so keys are not accidentally written into account.json or logs. 5) Prefer testing in a disposable container/VM; review network endpoints (metalet.space, file.metaid.io) if you require stricter privacy. If you need more assurance, ask the author for explicit documentation of which environment variables are expected and whether mnemonics can be stored encrypted or avoided.
功能分析
Type: OpenClaw Skill
Name: metabot-basic
Version: 1.0.0
The skill is classified as suspicious due to multiple Local File Disclosure/Inclusion (LFD/LFI) vulnerabilities. Specifically, `scripts/avatar.ts` (used by `scripts/create_agents.ts` and `scripts/create_avatar.ts`) allows reading arbitrary files via a user-controlled `filePath` parameter passed to `loadAvatarFromFilePath`, which uses `path.resolve` and `fs.readFileSync`. Similarly, `scripts/send_buzz.ts` allows reading arbitrary file content if the buzz message starts with `@` followed by a user-controlled `filePath`. These vulnerabilities could be exploited by an attacker to read sensitive files (e.g., credentials, private keys) from the agent's host system. Additionally, the skill handles highly sensitive data like mnemonics and LLM API keys, storing them in `account.json` at the project root, and `SKILL.md` instructs the AI agent to execute commands based on user input, which is a general prompt injection surface, though the LFD/LFI are more concrete vulnerabilities.
能力评估
Purpose & Capability
The code implements wallet generation, MetaID registration, avatar upload and Buzz broadcast — all consistent with the described MetaBot capabilities. The dependencies (wallet libraries, crypto, metaid client, sharp) are appropriate for those features. Minor mismatch: SKILL.md and registry metadata list no required environment variables, but the code / references mention reading LLM config from .env (getLLMConfigFromEnv / account.llm defaults).
Instruction Scope
Runtime instructions and scripts will generate and persist BIP39 mnemonics and addresses to account.json at the project root, read/write userInfo.json and log/error.md, read arbitrary local files (avatar image paths and '@file' content for buzz), and make network calls to MetaID/MVC endpoints (e.g., metalet.space, file.metaid.io). SKILL.md instructs running scripts that may auto-run npm install via check_environment.sh. The skill reads and writes sensitive secrets (mnemonics) to disk in plaintext and will sign transactions — these behaviors are within the tool's purpose but are high-sensitivity and not explicitly declared in the registry metadata.
Install Mechanism
No registry install spec is provided (instruction-only), but package.json lists many npm dependencies including @metalet/utxo-wallet-service, meta-contract, bitcoin libs and sharp. The SKILL.md's check_environment.sh may run npm install locally. Using npm packages is expected here, but dependencies include native modules (sharp) and a beta wallet package; installing them should be reviewed and done in a controlled environment.
Credentials
The registry declares no required env vars, but the code references environment-sourced LLM config and .env/.env.local as defaults for account.llm. The skill also creates and stores unencrypted mnemonics in account.json at the project root (shared with other metabot skills). The absence of declared env vars and the practice of persisting cryptographic secrets in plaintext are disproportionate risks that the user must accept consciously.
Persistence & Privilege
always:false (normal). The skill writes persistent files (account.json, userInfo.json, log/error.md) in the project root and may migrate an existing metabot/account.json into root — this is consistent with its multi-skill data model but means the skill will permanently store sensitive secrets and metadata on disk under the project root.
如何使用
- 确保已安装 OpenClaw(本地或 Docker 部署)
- 在对话框中输入安装命令:
/install metabot-basic - 安装完成后,直接呼叫该 Skill 的名称或使用
/metabot-basic触发 - 根据 Skill 的参数说明提供必要输入,即可获得结构化输出
版本历史
v1.0.0
metabot-basic 1.0.0 初始发布:
- 提供创建 MetaBot(新生成助记词和账户信息,写入 account.json)功能。
- 支持为 MetaBot 设置头像(要求图片小于1MB)。
- 支持以任意 MetaBot 身份发送 Buzz 协议消息到 MVC 网络。
- 提供简单的命令行脚本:创建、批量创建、设置头像、发送 Buzz。
- 详细列举典型用法、环境依赖与执行方式。
元数据
常见问题
metabot 是什么?
MetaBot是基于 MetaID 协议的 AI Agent/Bot/机器人/智能体。本技能可用于 创建 MetaBot、设置 MetaBot 头像、发送 Buzz,发送链上信息。当用户在需要创建 Metabot,修改 MetaBot 头像,发送 buzz 信息时触发。需 Node.js >= 18、TypeSc... 它是一个面向 Claude Code / OpenClaw 的 AI Agent Skill 插件,目前累计下载 628 次。
如何安装 metabot?
在 OpenClaw 或 Claude Code 对话框中运行命令「/install metabot-basic」即可一键安装,无需额外配置。
metabot 是免费的吗?
是的,metabot 完全免费(开源免费),可自由下载、安装和使用。
metabot 支持哪些平台?
metabot 跨平台运行,可在任意部署了 OpenClaw / Claude Code 的环境中使用(cross-platform)。
谁开发了 metabot?
由 Sunny Fung(@newfish)开发并维护,当前版本 v1.0.0。
推荐 Skills