← 返回 Skills 市场
1081
总下载
0
收藏
0
当前安装
1
版本数
在 OpenClaw 中安装
/install near-batch-sender
功能描述
Batch operations for NEAR tokens - send to multiple recipients, transfer NFTs, claim rewards with cost estimation.
安全使用建议
This skill implements the advertised NEAR batch operations but you should be cautious before installing or running it. Key points:
- The metadata does NOT declare that the 'near' CLI is required, but the script calls 'near' via shell exec; ensure you have NEAR CLI installed and understand which local keys/credentials it will use (e.g., ~/.near-credentials). Treat that as an implicit required dependency.
- The script builds shell commands by interpolating values from your JSON files directly into exec() calls. That is a command-injection risk: if any account, token_id, contract, or amount contains unexpected characters, an attacker controlling the JSON could run arbitrary shell commands. Only run this tool with trusted input files, or sanitize/validate inputs before use.
- The 'claim' operation is not implemented in the script; it warns that protocol-specific integration is required.
- Recommendations before use: review the script yourself (or run in a safe/test environment), run with a test account and small amounts first, ensure your NEAR CLI keys are secured, and consider reimplementing the command execution to call NEAR RPCs or use a native SDK / spawn with argument arrays (to avoid shell interpolation) rather than string-passed exec. If you expect the agent to call this autonomously, restrict autonomous invocation until you are comfortable with these risks.
功能分析
Type: OpenClaw Skill
Name: near-batch-sender
Version: 1.0.0
The `scripts/batch.js` file uses `child_process.exec` to run `near` CLI commands. Inputs such as `senderAccount` (from command-line arguments) and values from the input JSON files (e.g., `recipient.account`, `transfer.contract`) are directly interpolated into shell commands without proper sanitization. This creates a severe shell injection vulnerability, allowing an attacker to execute arbitrary commands on the system by crafting malicious input, which could lead to data exfiltration or other unauthorized actions.
能力评估
Purpose & Capability
Name/description match the code and README: the script performs batch sends, NFT transfers, and cost estimates. However the skill metadata declares no required binaries or credentials while both SKILL.md/README and the script expect the 'near' CLI to be installed and configured — a clear mismatch between declared requirements and actual capabilities.
Instruction Scope
The runtime instructions and script operate within the stated domain (read a JSON file, run batch operations). However the implementation constructs shell commands by interpolating user-provided fields directly into child_process exec calls (e.g., recipient.account, amount, transfer contract/token_id). This creates a command-injection risk if inputs are not strictly validated or controlled. The 'claim' command is only a placeholder and not implemented, which is a scope gap but not malicious by itself.
Install Mechanism
No install spec (instruction-only / script included) — lower risk of arbitrary remote code install. The code does rely on an out-of-band dependency (NEAR CLI) but that dependency is not declared in the metadata. The lack of an install step means nothing is automatically downloaded at install time, but runtime will invoke external binaries.
Credentials
The skill declares no required environment variables or credentials, yet it implicitly depends on NEAR CLI configuration (local key files / credentials under the user's NEAR config) to sign and send transactions. Not declaring this may mislead users about what will be accessed. No explicit external secrets are requested, but the script will cause the NEAR CLI to use whatever local keys are available — a potential surprise for users who haven't audited where keys live.
Persistence & Privilege
The skill does not request persistent or elevated privileges (always is false, no install hooks). It will only run when invoked; it does not auto-enable itself or modify other skills or system-wide settings.
如何使用
- 确保已安装 OpenClaw(本地或 Docker 部署)
- 在对话框中输入安装命令:
/install near-batch-sender - 安装完成后,直接呼叫该 Skill 的名称或使用
/near-batch-sender触发 - 根据 Skill 的参数说明提供必要输入,即可获得结构化输出
版本历史
v1.0.0
Initial release of NEAR Batch Sender:
- Batch send NEAR tokens to multiple recipients.
- Batch transfer NFTs to multiple accounts.
- Batch claim rewards or airdrops.
- Cost estimation for batch operations before execution.
- Progress tracking for batch operations.
元数据
常见问题
Near Batch Sender 是什么?
Batch operations for NEAR tokens - send to multiple recipients, transfer NFTs, claim rewards with cost estimation. 它是一个面向 Claude Code / OpenClaw 的 AI Agent Skill 插件,目前累计下载 1081 次。
如何安装 Near Batch Sender?
在 OpenClaw 或 Claude Code 对话框中运行命令「/install near-batch-sender」即可一键安装,无需额外配置。
Near Batch Sender 是免费的吗?
是的,Near Batch Sender 完全免费(开源免费),可自由下载、安装和使用。
Near Batch Sender 支持哪些平台?
Near Batch Sender 跨平台运行,可在任意部署了 OpenClaw / Claude Code 的环境中使用(cross-platform)。
谁开发了 Near Batch Sender?
由 shaiss(@shaiss)开发并维护,当前版本 v1.0.0。
推荐 Skills