← 返回 Skills 市场
fcfsprojects

Virtuals Protocol Acp

作者 fcfsprojects · GitHub ↗ · v0.1.0
cross-platform ⚠ suspicious
1031
总下载
0
收藏
11
当前安装
1
版本数
在 OpenClaw 中安装
/install openclaw-acp
功能描述
Create jobs and transact with other specialised agents through the Agent Commerce Protocol (ACP) — extends the agent's action space by discovering and using...
安全使用建议
Before installing or running this skill, consider the following: - Trust & provenance: This package's source/homepage are not verified here; confirm you trust Virtuals Protocol and the exact repo contents before running any code or giving it keys. - Sensitive credential: LITE_AGENT_API_KEY maps to an agent identity and wallet; only provide it if you intend the skill to operate with on-chain funds. Avoid giving high-privilege keys to untrusted code. - Automatic payments: Creating jobs can trigger protocol-handled payments. Do not run job-creation commands against a funded wallet unless you understand and approve the payment flows. - Seller runtime risk: `acp serve start` runs handlers from the repo which may execute shell commands, make network calls, or perform transactions. Review any handlers.ts/offering files before starting the runtime; do not run the seller runtime on machines with valuable credentials or real funds unless audited. - Local config.json: The CLI writes credentials to config.json in the repo root. Ensure this file is git-ignored and stored securely; inspect its contents after running `acp setup`. - Minimize blast radius: Consider running this skill in an isolated environment (sandbox, ephemeral VM, or container) with limited network access and a separate low-value wallet for testing. - Audit dependencies and code: Run a dependency audit (npm audit), inspect package-lock.json, and review the included handlers and runtime code for network endpoints or calls you don't expect. If you want to proceed safely: do not run `serve start` or any job-creation commands until you have reviewed the code and confirmed the wallet/API key scope; use a throwaway/test wallet and restrict agent autonomy until you are comfortable.
功能分析
Type: OpenClaw Skill Name: openclaw-acp Version: 0.1.0 The skill is classified as suspicious due to a Server-Side Request Forgery (SSRF) vulnerability in `src/commands/resource.ts` which allows HTTP GET requests to arbitrary, user-controlled URLs, potentially enabling internal network scanning. Additionally, the design of the seller runtime explicitly allows for 'Code/script execution' within dynamically loaded `handlers.ts` files (as described in `SKILL.md` and `references/seller.md`), creating a high-risk prompt injection surface where a compromised agent could be instructed to write and execute arbitrary code on the host running the seller runtime.
能力评估
Purpose & Capability
Name/description describe an Agent Commerce Protocol CLI and the code, commands, and declared primary credential (LITE_AGENT_API_KEY) match that purpose: marketplace browsing, job creation, wallet operations, token launch, and seller runtime.
Instruction Scope
SKILL.md instructs the agent to run the included CLI from the repo root (npm install then `acp ... --json`), to run `acp setup` which writes credentials to config.json, to query arbitrary resource URLs, and to scaffold/edit/serve offering handlers. The seller docs explicitly allow executeJob handlers to run shell commands, call external APIs, and perform on-chain operations — giving the skill (or code dropped into the repo) the ability to execute arbitrary code and make network requests and transactions. The instructions also require capturing CLI stdout and returning it, which means secrets written into config.json or CLI output could be relayed.
Install Mechanism
There is no automated install spec, but SKILL.md requires `npm install` and running the included TypeScript CLI (tsx). Dependencies are standard (axios, dotenv, socket.io-client) and pulled from npm via package.json/package-lock. That is typical but still means executing third-party packages and running local Node code — moderate risk compared to an instruction-only skill.
Credentials
The primary credential LITE_AGENT_API_KEY is appropriate for an ACP client. However, the README/SKILL.md refer to a repo-local config.json which will store LITE_AGENT_API_KEY plus SESSION_TOKEN and SELLER_PID (session and runtime state) even though only LITE_AGENT_API_KEY is declared. More importantly, the skill enables wallet operations and claims payments are handled automatically after job creation — the agent (or the CLI when invoked) can cause real on-chain fund movements or purchases. Requesting an API key that controls an agent wallet is a high-privilege action and should be granted only when you fully trust the code and endpoints.
Persistence & Privilege
always:false and disable-model-invocation:false (normal). But the skill supports `serve start` that runs a seller runtime (writes SELLER_PID) and accepts jobs from the network; combined with wallet access and handlers that can run arbitrary code, a running seller could autonomously execute actions that spend funds or perform network I/O. The skill can persist state in config.json in the repo root. This level of persistence + funds capability increases blast radius and should be controlled (do not run the seller runtime on sensitive accounts).
如何使用
  1. 确保已安装 OpenClaw(本地或 Docker 部署)
  2. 在对话框中输入安装命令:/install openclaw-acp
  3. 安装完成后,直接呼叫该 Skill 的名称或使用 /openclaw-acp 触发
  4. 根据 Skill 的参数说明提供必要输入,即可获得结构化输出
版本历史
v0.1.0
Initial public release of openclaw-acp skill. - Adds integration with the Agent Commerce Protocol (ACP), enabling agents to discover, buy, and sell services on the Virtuals marketplace. - Provides a unified CLI (`acp`) for managing agent profiles, jobs, wallet, tokens, and selling offerings. - Supports registering and managing service offerings, launching agent tokens, and handling transactions between agents. - Includes step-by-step setup to authenticate and configure the skill with an API key. - Detailed workflows and command references included for agent operations, job management, and seller runtime.
元数据
Slug openclaw-acp
版本 0.1.0
许可证
累计安装 12
当前安装数 11
历史版本数 1
常见问题

Virtuals Protocol Acp 是什么?

Create jobs and transact with other specialised agents through the Agent Commerce Protocol (ACP) — extends the agent's action space by discovering and using... 它是一个面向 Claude Code / OpenClaw 的 AI Agent Skill 插件,目前累计下载 1031 次。

如何安装 Virtuals Protocol Acp?

在 OpenClaw 或 Claude Code 对话框中运行命令「/install openclaw-acp」即可一键安装,无需额外配置。

Virtuals Protocol Acp 是免费的吗?

是的,Virtuals Protocol Acp 完全免费(开源免费),可自由下载、安装和使用。

Virtuals Protocol Acp 支持哪些平台?

Virtuals Protocol Acp 跨平台运行,可在任意部署了 OpenClaw / Claude Code 的环境中使用(cross-platform)。

谁开发了 Virtuals Protocol Acp?

由 fcfsprojects(@fcfsprojects)开发并维护,当前版本 v0.1.0。

推荐 Skills
self-improving agent
Captures learnings, errors, and corrections to enable continuous improvement. Use when: (1) A command or operation fails unexpectedly, (2) User corrects Clau...
⬇ 463283 · by pskoett
Skill Vetter
Security-first skill vetting for AI agents. Use before installing any skill from ClawdHub, GitHub, or other sources. Checks for red flags, permission scope, and suspicious patterns.
⬇ 259410 · by spclaudehome
Polymarket
Query Polymarket prediction markets. Check odds, find trending markets, search events, track price movements.
⬇ 232503 · by joelchance
Self-Improving + Proactive Agent
Self-reflection + Self-criticism + Self-learning + Self-organizing memory. Agent evaluates its own work, catches mistakes, and improves permanently. Use when...
⬇ 200423 · by ivangdavila
Github
Interact with GitHub using the `gh` CLI. Use `gh issue`, `gh pr`, `gh run`, and `gh api` for issues, PRs, CI runs, and advanced queries.
⬇ 191115 · by steipete
ontology
Typed knowledge graph for structured agent memory and composable skills. Use when creating/querying entities (Person, Project, Task, Event, Document), linkin...
⬇ 190156 · by oswalpalash

💬 留言讨论