← 返回 Skills 市场
PayPol Agent Marketplace
作者
paypol-protocol
· GitHub ↗
· v1.1.1
486
总下载
0
收藏
0
当前安装
3
版本数
在 OpenClaw 中安装
/install paypol
功能描述
Hire 32 on-chain AI agents from the PayPol Marketplace on Tempo L1. Real smart contract execution - escrows, payments, streams, ZK-shielded transfers, token...
安全使用建议
What to consider before installing/using this skill:
- The core functionality (hiring PayPol agents via paypol.xyz) matches the files, but packaging is sloppy: the install step wants the npm package axios and declares node as a required binary even though the bundle contains only bash scripts. That npm install appears unnecessary.
- The bash scripts call the PayPol API and will send your PAYPOL_API_KEY in the X-API-Key header. Only provide the key if you trust paypol.xyz and the skill author. Prefer an API key with limited permissions and rotate it after testing.
- The scripts require jq (used to parse JSON) but jq is not declared as a required binary — ensure jq is present before running. Also be aware scripts reference optional env vars PAYPOL_AGENT_API, PAYPOL_WALLET, and PAYPOL_TIMEOUT which are not declared as required; review those values before running.
- If you cannot verify the publisher or the paypol.xyz developer docs, run the scripts in an isolated environment (container or VM) and test with a minimal budget/low-privilege API key. Review network traffic (to confirm endpoints) and the API key scope. If you don't want additional packages installed, skip the npm install or inspect the package.json/source for unexpected postinstall scripts.
- If anything about the domain, owner ID, or published metadata looks unfamiliar, ask the publisher for provenance (Git repo, signed release, or contact) before providing credentials or executing on-chain actions.
功能分析
Type: OpenClaw Skill
Name: paypol
Version: 1.1.1
The skill bundle provides access to highly sensitive on-chain financial operations via the PayPol API, including a 'wallet-sweeper' agent capable of sweeping all token balances to a specified address. While the `paypol-hire.sh` script correctly JSON-escapes user prompts, preventing direct shell injection, the inherent power of these agents, especially the `wallet-sweeper`, presents a significant risk. There is no evidence of intentional malicious code or prompt injection within the skill bundle itself; however, the exposure of such critical capabilities, even if intended for legitimate 'emergency' use, makes the skill suspicious due to the potential for misuse if the OpenClaw agent were to be compromised by an external prompt injection. The primary domain involved is `paypol.xyz`.
能力评估
Purpose & Capability
Name/description align with the included scripts and API usage (hiring agents, on-chain operations on Tempo L1). However the declared Node/npm install (axios) is disproportionate: there is no Node code in the bundle, only bash scripts and markdown. Required binaries declare `node` but the scripts do not use Node; conversely the scripts require `jq` but `jq` is not listed as a required binary. This mismatch suggests sloppy packaging or an unnecessary npm dependency.
Instruction Scope
SKILL.md and the two scripts instruct the agent to call the PayPol API (https://paypol.xyz) using the API key in header — expected for this purpose. But the runtime instructions reference environment variables beyond the declared required one (PAYPOL_AGENT_API, PAYPOL_WALLET, PAYPOL_TIMEOUT are used in scripts and docs but not listed in requires.env). The scripts also call external network endpoints (PayPol API) which will receive the provided API key and any caller wallet id. There is no evidence of hidden endpoints or exfiltration beyond the documented API, but the undeclared env usage and missing binary (jq) are problematic.
Install Mechanism
The install spec lists a Node package (axios). The package is a public npm library (moderate trust) but there is no Node source in this skill that needs it. The install appears unnecessary and inconsistent with the rest of the bundle (bash scripts). This extra install increases footprint without clear justification.
Credentials
The skill requires a single primary credential (PAYPOL_API_KEY), which is appropriate for a marketplace API client. However, the scripts and docs also use optional env vars (PAYPOL_AGENT_API, PAYPOL_WALLET, PAYPOL_TIMEOUT) that were not declared in requires.env. The number of secrets is not excessive, but you should be aware that the provided API key is sent to the paypol.xyz API on every request and could be used to authorize on-chain transactions — treat it as sensitive.
Persistence & Privilege
The skill is not marked always:true and does not request persistent system-wide privileges. It does not modify other skills or system configs. Autonomous model invocation is allowed (default) but not combined with other high-risk indicators.
如何使用
- 确保已安装 OpenClaw(本地或 Docker 部署)
- 在对话框中输入安装命令:
/install paypol - 安装完成后,直接呼叫该 Skill 的名称或使用
/paypol触发 - 根据 Skill 的参数说明提供必要输入,即可获得结构化输出
版本历史
v1.1.1
v1.1.1: 32 real on-chain agents on Tempo L1, updated API URL to paypol.xyz
v1.1.0
v1.1.0: 32 real on-chain agents on Tempo L1, updated API URL to paypol.xyz
v1.0.0
Initial release - 32 AI agents for Web3 tasks: security audits, DeFi yield, payroll, gas estimation, MEV protection, cross-chain bridging, NFT appraisal. On-chain escrow settlement on Tempo L1
元数据
常见问题
PayPol Agent Marketplace 是什么?
Hire 32 on-chain AI agents from the PayPol Marketplace on Tempo L1. Real smart contract execution - escrows, payments, streams, ZK-shielded transfers, token... 它是一个面向 Claude Code / OpenClaw 的 AI Agent Skill 插件,目前累计下载 486 次。
如何安装 PayPol Agent Marketplace?
在 OpenClaw 或 Claude Code 对话框中运行命令「/install paypol」即可一键安装,无需额外配置。
PayPol Agent Marketplace 是免费的吗?
是的,PayPol Agent Marketplace 完全免费(开源免费),可自由下载、安装和使用。
PayPol Agent Marketplace 支持哪些平台?
PayPol Agent Marketplace 跨平台运行,可在任意部署了 OpenClaw / Claude Code 的环境中使用(cross-platform)。
谁开发了 PayPol Agent Marketplace?
由 paypol-protocol(@paypol-protocol)开发并维护,当前版本 v1.1.1。
推荐 Skills