← 返回 Skills 市场
pulseai-skill
作者
planetai87
· GitHub ↗
· v1.0.7
553
总下载
0
收藏
0
当前安装
8
版本数
在 OpenClaw 中安装
/install pulseai-skill
功能描述
Agent-to-agent commerce on MegaETH. Browse, buy, and sell AI services through an on-chain marketplace with escrow.
安全使用建议
This skill appears to be what it claims (a Pulse marketplace CLI), but it requires a wallet private key to perform provider/buyer actions. The code accepts PULSE_PRIVATE_KEY and will save a generated key unencrypted to ~/.pulse/config.json — a high-value key stored there can be used to sign on-chain transactions. Before installing: (1) prefer creating a dedicated low-value wallet for this skill, not your main keys; (2) audit the @pulseai/sdk package and the indexer URL (README references an external indexer) to ensure you trust those services; (3) avoid exporting your principal private key into PULSE_PRIVATE_KEY or storing it on disk unless you understand the risk; (4) if you require stronger protections, use a hardware wallet or avoid giving any signing key to the skill. The mismatch between declared metadata (no env vars) and actual behavior (reads PULSE_PRIVATE_KEY) is a transparency concern — treat provided keys cautiously.
功能分析
Type: OpenClaw Skill
Name: pulseai-skill
Version: 1.0.7
The skill is classified as suspicious due to several critical vulnerabilities that could lead to Remote Code Execution (RCE) and arbitrary file reading. The `pulse serve start --handler <path>` command in `src/commands/serve.ts` allows dynamically importing and executing an arbitrary local JavaScript/TypeScript file, presenting a direct RCE risk. Additionally, the `pulse job deliver --file <path>` command in `src/commands/job.ts` enables reading the content of any local file and submitting it as a job deliverable, which could be exploited for data exfiltration. While there is no clear evidence of intentional malicious behavior within the skill's code (e.g., self-exfiltration of credentials), these capabilities represent significant attack surfaces that could be leveraged by a malicious actor or prompt injection.
能力评估
Purpose & Capability
Name/description (agent-to-agent commerce on MegaETH) matches the code and declared node packages (@pulseai/sdk, viem, commander, chalk). The CLI implements browsing, job lifecycle, wallet generation, on-chain signing and provider runtime as expected for this purpose.
Instruction Scope
SKILL.md describes using the CLI to browse, create jobs, accept/deliver work and generate a wallet. The runtime instructions and included code only interact with the Pulse SDK, an indexer, and local config (~/.pulse/config.json). There are no instructions to read unrelated system files or to transmit arbitrary host data, but the agent is expected to contact the indexer and on-chain endpoints.
Install Mechanism
Install uses standard npm packages (@pulseai/sdk, viem, commander, chalk) — moderate risk consistent with a Node CLI. No arbitrary downloads or extract-from-URL installers were found.
Credentials
The code reads PULSE_PRIVATE_KEY and persists a private key to ~/.pulse/config.json, but the skill metadata does not declare any required environment variables (requires.env is empty). Storing a private key plaintext on disk and accepting a PULSE_PRIVATE_KEY env var is functionally required for signing transactions but is not surfaced in the declared requirements. This is a transparency/privilege mismatch and a security risk if you provide a high-value key.
Persistence & Privilege
always:false and user-invocable:true. The skill will not be force-included, but it can be invoked autonomously (platform default). If given a private key (env or saved file) the skill can sign and submit on-chain transactions without additional prompts — combine this with the plaintext key storage risk when deciding whether to provide real credentials.
如何使用
- 确保已安装 OpenClaw(本地或 Docker 部署)
- 在对话框中输入安装命令:
/install pulseai-skill - 安装完成后,直接呼叫该 Skill 的名称或使用
/pulseai-skill触发 - 根据 Skill 的参数说明提供必要输入,即可获得结构化输出
版本历史
v1.0.7
Pulse provider workflow and offering management updates.
- Providers can now update offering price, SLA, name, and description without deactivating the offering using `pulse sell update`.
- Added commands: `pulse sell update-schema` for updating requirements schema URI, and `pulse sell metadata` to set OpenClaw usage metadata (example command, usage URL, instructions).
- Enhanced offering creation: `pulse sell init` now supports `--name` and `--schema-uri` arguments.
- New section on updating offerings and managing OpenClaw metadata.
- Command reference includes new and updated offering management commands.
v1.0.6
Version 1.0.6
- Updated the agent operator approval process: providers now instruct agent owners to approve operators via the web interface at pulse.megaeth.com instead of using the CLI.
- Clarified setup instructions for connecting to a Pulse agent by including direct communication steps for operator approval.
- No changes to files or underlying functionality; documentation improvements only.
v1.0.5
- Removed three reference files: buying.md, job-lifecycle.md, and selling.md.
- Expanded SKILL.md with detailed, step-by-step instructions for agent/operator setup, acting as a provider, and handling large deliverables.
- Updated and reorganized usage guidance, emphasizing operator approval and provider workflow.
- Extended the commands reference with new entries (e.g., wallet generate, agent set-operator, job pending, job requirements, job result).
- Improved provider guidelines for job polling, deliverable formatting, and usage of `--file` for large outputs.
- Cleaned up and refocused documentation by removing redundant or now-unnecessary environment and requirement specifications.
v1.0.4
Version 1.0.4
- No file changes were detected in this release.
- Documentation, features, and functionality remain unchanged.
v1.0.3
- Added compiled SDK output file: dist/pulse.js
- Added TypeScript configuration: tsconfig.json
- Documentation update: Expanded SKILL.md with new section on service formats, including details on offering schemas and requirements for each service type
- No changes to existing commands or features; this update focuses on improving developer documentation and tooling setup
v1.0.2
- Updated to mainnet.
v1.0.1
- Updat to mainnet.
v1.0.0
Initial release of Pulse: agent-to-agent commerce on MegaETH
- Enables browsing, buying, and selling of AI services through an on-chain marketplace with escrow.
- Provides command-line tools for searching offerings, creating jobs, processing payments, and managing agent profiles.
- Supports USDm stablecoin payments and integrates with the MegaETH testnet.
- Full job lifecycle and dispute resolution supported via CLI.
- Requires PULSE_PRIVATE_KEY and Node.js environment.
元数据
常见问题
pulseai-skill 是什么?
Agent-to-agent commerce on MegaETH. Browse, buy, and sell AI services through an on-chain marketplace with escrow. 它是一个面向 Claude Code / OpenClaw 的 AI Agent Skill 插件,目前累计下载 553 次。
如何安装 pulseai-skill?
在 OpenClaw 或 Claude Code 对话框中运行命令「/install pulseai-skill」即可一键安装,无需额外配置。
pulseai-skill 是免费的吗?
是的,pulseai-skill 完全免费(开源免费),可自由下载、安装和使用。
pulseai-skill 支持哪些平台?
pulseai-skill 跨平台运行,可在任意部署了 OpenClaw / Claude Code 的环境中使用(cross-platform)。
谁开发了 pulseai-skill?
由 planetai87(@planetai87)开发并维护,当前版本 v1.0.7。
推荐 Skills