← 返回 Skills 市场
Niuma Bounty
作者
futeyaoshi
· GitHub ↗
· v1.3.1
· MIT-0
161
总下载
0
收藏
0
当前安装
28
版本数
在 OpenClaw 中安装
/install niuma-bounty
功能描述
Interact with the Niuma Bounty on-chain task platform on XLayer testnet: query, create, join, submit, review, bid, approve, reject, and manage tasks and bala...
安全使用建议
This skill appears functionally correct for interacting with the Niuma Bounty testnet contracts, but it requires signing transactions. Before installing or running it:
- Do NOT supply your main wallet private key to an agent or paste it into chat. Prefer an external signing wallet (the SKILL.md recommends OKX Agentic Wallet) or a hardware wallet.
- Note the manifest metadata does not declare NIUMA_WALLET_SECRET or NIUMA_RPC even though the instructions and script use them — treat this as a red flag and ask the skill author to declare required env vars in metadata.
- If you must test, use a throwaway/test account with minimal funds on the testnet.
- If you will run npm install locally, review package-lock.json and the dependency sources (mirrors.tencentyun.com) before installing; prefer official registries or verify package integrity.
- Review the scripts/niuma.js code (or have a developer do so) to confirm there are no unexpected network endpoints or logging of secrets. If you want the skill to be safer, require support for external signing (unsigned tx building + wallet signing) and update metadata to list required env vars clearly.
功能分析
Type: OpenClaw Skill
Name: niuma-bounty
Version: 1.3.1
The niuma-bounty skill is a functional tool for interacting with the Niuma Bounty Platform on the XLayer testnet. The code in scripts/niuma.js uses the ethers.js library to perform standard blockchain operations such as querying task status, creating tasks, and submitting work proofs. It includes robust pre-transaction validation logic and provides a 'build-tx' mode to support secure signing via external wallets. While it handles private keys through the NIUMA_WALLET_SECRET environment variable, the documentation explicitly recommends using the OKX Agentic Wallet for better security. No evidence of data exfiltration, malicious execution, or harmful prompt injection was found.
能力评估
Purpose & Capability
Name/description align with the included CLI (scripts/niuma.js) and the ABI/contract addresses for XLayer testnet; the code implements the advertised read/write actions (create, participate, submit, approve, dispute, bidding). However the package metadata declares no required environment variables while the SKILL.md and script clearly expect NIUMA_WALLET_SECRET (private key) and optionally NIUMA_RPC; that's an inconsistency between stated requirements and actual operation.
Instruction Scope
SKILL.md explicitly instructs users/agents to set NIUMA_WALLET_SECRET=<private_key> and run write commands that sign transactions. That means the agent or operator will be handling raw private keys. The documentation suggests using an external Agentic Wallet to avoid exposing keys, but still provides examples that place the raw private key in environment variables. The skill's runtime instructions therefore require the collection and use of highly sensitive secrets; this is outside what the registry metadata declared and broadens the attack surface (exfiltration risk if the agent transmits or logs secrets).
Install Mechanism
No install spec is provided (instruction-only from the platform perspective), but package.json and package-lock.json are included, implying npm usage if a user executes locally. package-lock shows dependency resolution URLs that point to mirrors.tencentyun.com rather than primary npm registries; while dependencies themselves (ethers, etc.) are legitimate, the non-standard mirror should be reviewed before 'npm install' to ensure supply-chain integrity.
Credentials
The skill asks for a raw private key (NIUMA_WALLET_SECRET) for signing transactions and supports overriding RPC via NIUMA_RPC, yet the registry metadata lists no required environment variables or primary credential. Requesting a private key is proportionate to the write actions on-chain, but failing to declare this in metadata and providing examples that encourage putting the key in the environment is an avoidable security risk. Users must not provide main-wallet private keys to an agent or place them in cleartext env variables without understanding the implications.
Persistence & Privilege
The skill does not request 'always: true', does not declare system config paths, and does not modify other skills. Autonomous invocation is allowed by default (normal). There is no evidence the skill attempts to persist beyond its own files or alter platform-wide settings.
如何使用
- 确保已安装 OpenClaw(本地或 Docker 部署)
- 在对话框中输入安装命令:
/install niuma-bounty - 安装完成后,直接呼叫该 Skill 的名称或使用
/niuma-bounty触发 - 根据 Skill 的参数说明提供必要输入,即可获得结构化输出
版本历史
v1.3.1
合约全部重新部署,新NIUMA token初始供应0,owner管理admin,admin可mint任意数量
v1.3.0
fix: create/stake内部自动approve改为MaxUint256,一次授权永久有效,不再每次重复approve
v1.2.9
feat: approve/reject-submission加参数校验;拒绝必须提供原因;SKILL.md补充雇主审核Agent交互规范(先展示参与者→询问通过/拒绝→执行)
v1.2.8
feat: submit命令缺少凭证时给出明确提示和示例;SKILL.md补充Agent提交凭证交互规范(先收集图片URL/文字再执行)
v1.2.7
feat: task-participants <taskId> 查看所有参与者、提交凭证、审核状态,方便雇主审核
v1.2.6
docs: SKILL.md全量更新,覆盖所有命令、注意事项、合约地址
v1.2.5
feat: 邀请系统支持 referral-info(查看邀请统计/奖励记录/邀请链接) 和 bind-inviter(绑定邀请人)
v1.2.4
feat: profile(用户信息+冷却状态)/my-tasks/my-created/bind-telegram/bind-twitter/bind-email;SKILL.md补充OKX Agentic Wallet推荐
v1.2.3
feat: 新增categories/tokens查询;SKILL.md完整文档含RPC限速/Gas/接单/竞标/裁决注意事项
v1.2.2
feat: 竞标流程完整支持 submit-bid/cancel-bid/select-bidder,bids查询修复tuple解码问题
v1.2.1
feat: 新增直接执行命令 submit/approve-submission/reject-submission/create-dispute,命令支持连字符格式
v1.2.0
fix: 所有写操作先estimateGas,失败时抛出明确错误信息而非静默使用固定gasLimit
v1.1.9
fix: gas buffer 120%→130%,修复createTask/approveSubmission等复杂交易out of gas问题
v1.1.8
build-tx 新增 createDispute(发起裁决)和 resolveDispute(解决裁决)命令
v1.1.7
修复eligibility检查:改用canAcceptTask(address,uint256,address),准确区分冷却时间/信用分不足/押金不足三种失败原因
v1.1.6
修正接单冷却时间参数(正确值3600秒/1小时),check-participate 准确显示冷却剩余分钟数
v1.1.5
check-participate 新增合约级资格验证:准确识别接单失败真实原因(冷却时间/activeCount限制),不再误报"所有检查通过"
v1.1.4
精简 SKILL.md:去掉冗余说明,移除硬编码限额(改为链上动态读取)
v1.1.3
前置检查:发任务/接单/充值押金前自动验证余额、押金、分类、时间、名额等条件,不满足直接报错取消,新增 check-create / check-participate 预检命令
v1.1.2
docs: add participate restrictions note
元数据
常见问题
Niuma Bounty 是什么?
Interact with the Niuma Bounty on-chain task platform on XLayer testnet: query, create, join, submit, review, bid, approve, reject, and manage tasks and bala... 它是一个面向 Claude Code / OpenClaw 的 AI Agent Skill 插件,目前累计下载 161 次。
如何安装 Niuma Bounty?
在 OpenClaw 或 Claude Code 对话框中运行命令「/install niuma-bounty」即可一键安装,无需额外配置。
Niuma Bounty 是免费的吗?
是的,Niuma Bounty 完全免费,采用 MIT-0 许可证,可自由下载、安装和使用。
Niuma Bounty 支持哪些平台?
Niuma Bounty 跨平台运行,可在任意部署了 OpenClaw / Claude Code 的环境中使用(cross-platform)。
谁开发了 Niuma Bounty?
由 futeyaoshi(@futeyaoshi)开发并维护,当前版本 v1.3.1。
推荐 Skills