← 返回 Skills 市场
Planet Express Marketplace
作者
Fawnsworth
· GitHub ↗
· v2.0.0
695
总下载
0
收藏
0
当前安装
1
版本数
在 OpenClaw 中安装
/install planetexpress-marketplace
功能描述
Decentralized file marketplace on Monad blockchain — buy, sell, and browse encrypted files with x402
安全使用建议
This skill appears to implement a file marketplace as described, but proceed with caution. Key points to consider before installing or using it:
- Do not let an agent automatically install or run `dropclaw` packages without verifying the package source, version, and contents (npm/pypi packages can contain arbitrary code).
- Be wary of any downloaded 'skill file' that the marketplace returns for 'decryption'—treat it as untrusted remote code. Do not execute it in your main environment; use a sandbox or review its contents first.
- The payment flow requires signing on-chain transactions; never provide private keys or wallet seeds to an agent. Prefer manual signing via your wallet or an external signer.
- Verify the API hostname and contract address independently (e.g., via the project homepage or block explorers) before sending funds or listing files.
- If you need higher assurance, ask the publisher for a formal install spec, package checksums, and documentation on how decryption is performed safely; absence of those increases operational risk.
功能分析
Type: OpenClaw Skill
Name: planetexpress-marketplace
Version: 2.0.0
The skill is classified as suspicious due to its declared high-risk capabilities, even though there is no direct evidence of malicious intent within the provided files. It explicitly requests 'network' permissions in `claw.json` and describes interactions with an external API (`https://dropclaw.cloud`) in `SKILL.md`. Furthermore, `SKILL.md` details a cryptocurrency payment flow (x402 protocol) for buying and listing files, implying the agent might be involved in initiating or confirming transactions. The `skillFileUri` parameter in the listing API and the mention of a 'skill file for decryption' in the purchase flow (both in `SKILL.md`) introduce a potential remote code execution (RCE) vulnerability if the agent is designed to fetch and execute arbitrary code from IPFS for decryption without proper sandboxing.
能力评估
Purpose & Capability
Name, description, endpoints, contract address and supported chains are coherent for a decentralized file marketplace; network permission in claw.json matches the stated API usage.
Instruction Scope
SKILL.md tells the agent how to browse, purchase, and list files via the marketplace endpoints only, but it also says purchasers will 'Receive the encrypted file + skill file for decryption.' That text is ambiguous: it could deliver code or scripts the agent/user must run to decrypt files. The instructions do not explicitly prohibit executing remote code, nor do they describe safe handling of downloaded 'skill file' contents. The doc also mentions storing files via DropClaw (/vault/store) without describing authentication or required keys.
Install Mechanism
The skill is instruction-only (no install spec), but SKILL.md recommends installing an SDK via `npm i dropclaw` or `pip install dropclaw`. Those installs would fetch third-party packages at runtime (not managed by the skill registry). The lack of an official install spec means the agent or user might install code from external package registries, which increases risk if not verified.
Credentials
No environment variables, credentials, or config paths are requested — this is proportionate. However, payment flows imply use of on-chain wallets and signing (MON/SOL/USDC) but the instructions do not explain how signing is performed or where private keys are held. If an agent were given or asked to use private keys to complete payments, that would be sensitive but is not specified here.
Persistence & Privilege
always is false and there is no install writing files described by the skill registry. The skill does not request persistent privileges or to modify other skills or system settings.
如何使用
- 确保已安装 OpenClaw(本地或 Docker 部署)
- 在对话框中输入安装命令:
/install planetexpress-marketplace - 安装完成后,直接呼叫该 Skill 的名称或使用
/planetexpress-marketplace触发 - 根据 Skill 的参数说明提供必要输入,即可获得结构化输出
版本历史
v2.0.0
Initial release — decentralized file marketplace on Monad via x402
元数据
常见问题
Planet Express Marketplace 是什么?
Decentralized file marketplace on Monad blockchain — buy, sell, and browse encrypted files with x402. 它是一个面向 Claude Code / OpenClaw 的 AI Agent Skill 插件,目前累计下载 695 次。
如何安装 Planet Express Marketplace?
在 OpenClaw 或 Claude Code 对话框中运行命令「/install planetexpress-marketplace」即可一键安装,无需额外配置。
Planet Express Marketplace 是免费的吗?
是的,Planet Express Marketplace 完全免费(开源免费),可自由下载、安装和使用。
Planet Express Marketplace 支持哪些平台?
Planet Express Marketplace 跨平台运行,可在任意部署了 OpenClaw / Claude Code 的环境中使用(cross-platform)。
谁开发了 Planet Express Marketplace?
由 Fawnsworth(@timowhite88)开发并维护,当前版本 v2.0.0。
推荐 Skills