← 返回 Skills 市场
MoonPay
作者
Kevin Arifin
· GitHub ↗
· v0.6.24
544
总下载
0
收藏
0
当前安装
2
版本数
在 OpenClaw 中安装
/install moonpay
功能描述
Your agent needs money. MoonPay is the crypto onramp for AI agents — wallets, swaps, bridges, transfers, DCA, limit orders, deposits, market data, and fiat o...
安全使用建议
This skill appears to be a legitimate CLI integration for MoonPay, but take these precautions before installing or enabling it: 1) Verify the npm package owner/publisher (@moonpay/cli) is authentic (check the package page, signatures, and publisher identity) before allowing a global npm install. 2) Be aware the CLI stores credentials locally (~/.config/moonpay/credentials.json and OS keychain) and can perform on-chain transfers and fiat buys — treat this like giving software access to a wallet. 3) Avoid running the MCP server (mp mcp) unless you trust every MCP client that can connect; it exposes CLI functionality to external clients and could allow other tools to trigger financial actions. 4) If you enable the skill for autonomous agent use, restrict agent permissions and monitor transactions closely (or require explicit human confirmation for buys/transfers). 5) If you only need read-only market data, prefer limiting the agent to token search/balance calls or use a read-only API key (if available). If you want, provide the actual npm package metadata (publisher, tarball checksum, or source repository) and I can re-check provenance and raise or lower confidence accordingly.
功能分析
Type: OpenClaw Skill
Name: moonpay
Version: 0.6.24
The skill bundle is classified as suspicious due to its inherent high-risk capabilities involving cryptocurrency transactions, wallet management, and fiat on/off-ramps. While the `SKILL.md` documentation itself does not contain explicit malicious instructions or prompt injections, it instructs the agent to install an external Node.js package (`@moonpay/cli`) via `npm install -g`, which introduces a supply chain vulnerability. The skill also involves managing cryptographic keys locally and performing irreversible financial operations, which, if exploited through a vulnerability in the underlying CLI tool or agent misuse, could lead to significant financial loss. The presence of safety rules (simulate-then-execute) is noted, but the overall risk profile remains high.
能力评估
Purpose & Capability
Name/description (MoonPay CLI for wallets, swaps, deposits, fiat on/off ramps) aligns with the declared install (npm package @moonpay/cli) and the required binary (mp). No unrelated environment variables or unrelated binaries are requested.
Instruction Scope
SKILL.md instructs typical CLI operations (login, wallet create, token swap) which are consistent with the purpose, but it also documents 'mp mcp' to start a local MCP server that 'exposes all CLI + remote tools to any MCP-compatible client'. That can expose wallet operations to other MCP clients and increases the attack surface. The doc also references the credentials storage path (~/.config/moonpay/credentials.json) even though 'required config paths' lists none; this should be expected for a CLI but is worth calling out.
Install Mechanism
Install is via an npm package (@moonpay/cli) which is a reasonable and expected mechanism for providing an 'mp' binary. npm installs are moderate-risk (packages can contain arbitrary code); this is proportionate to a full-featured CLI but you should verify package provenance (publisher, signature) before installing globally.
Credentials
The skill does not request environment variables or external credentials in the registry metadata, which is consistent with an interactive CLI that uses local login flows. The runtime doc references Bearer tokens and OAuth/PKCE and says credentials are stored at ~/.config/moonpay/credentials.json (OS keychain encryption claimed). Not requesting env vars is reasonable, but the skill will hold persistent credentials and private keys locally — that persistence and their storage location are important to review.
Persistence & Privilege
always:false and model-invocation not disabled (normal). The skill does not request force-inclusion privileges. Note: allowing autonomous agent invocation with a payments/trading CLI means the agent could initiate financial actions (swaps, transfers, buys) if given permission — consider limiting autonomy for financial operations.
如何使用
- 确保已安装 OpenClaw(本地或 Docker 部署)
- 在对话框中输入安装命令:
/install moonpay - 安装完成后,直接呼叫该 Skill 的名称或使用
/moonpay触发 - 根据 Skill 的参数说明提供必要输入,即可获得结构化输出
版本历史
v0.6.24
Remove server-side tools section
v0.6.23
First moonwalk. One small step for agents, one giant leap for crypto.
元数据
常见问题
MoonPay 是什么?
Your agent needs money. MoonPay is the crypto onramp for AI agents — wallets, swaps, bridges, transfers, DCA, limit orders, deposits, market data, and fiat o... 它是一个面向 Claude Code / OpenClaw 的 AI Agent Skill 插件,目前累计下载 544 次。
如何安装 MoonPay?
在 OpenClaw 或 Claude Code 对话框中运行命令「/install moonpay」即可一键安装,无需额外配置。
MoonPay 是免费的吗?
是的,MoonPay 完全免费(开源免费),可自由下载、安装和使用。
MoonPay 支持哪些平台?
MoonPay 跨平台运行,可在任意部署了 OpenClaw / Claude Code 的环境中使用(cross-platform)。
谁开发了 MoonPay?
由 Kevin Arifin(@kevarifin14)开发并维护,当前版本 v0.6.24。
推荐 Skills