← 返回 Skills 市场
Scout
作者
yaooooooooooooooo
· GitHub ↗
· v1.0.2
1342
总下载
0
收藏
8
当前安装
2
版本数
在 OpenClaw 中安装
/install scout
功能描述
Agent trust intelligence for Moltbook and x402 Bazaar. Use when you need to check if an agent or service is trustworthy before paying, compare agents side-by-side, scan feeds for quality agents, or make trust-gated USDC payments. Answers the question "should I pay this agent?" with research-backed scoring across 6 dimensions.
安全使用建议
What to consider before installing or running Scout:
- Metadata mismatch: The registry metadata claims no required env vars/binaries, but SKILL.md and the code require Node/npm and a MOLTBOOK_API_KEY (and optionally a SCOUT_PRIVATE_KEY for payments). Treat the SKILL.md/code as authoritative and do NOT assume no secrets are needed.
- Sensitive credentials: MOLTBOOK_API_KEY is required for almost every script and grants read/write access to Moltbook endpoints (the DM bot posts replies). Only provide this key if you trust the code and run it in a controlled environment. SCOUT_PRIVATE_KEY is a private wallet key — only supply a throwaway/dedicated payment key with limited funds and permissions, never your primary wallet key.
- Prefer the hosted API when possible: Using the public API at https://scoutscore.ai avoids giving this environment your Moltbook API key or private key. If you only need a quick score, call the remote API rather than running local scripts.
- Inspect and sandbox: If you plan to run local scripts, review the scripts that will run (dm-bot, api-server, safe-pay). Run them in a sandboxed environment or container, with network access restricted if you don't want outgoing requests. Be aware that the dm-bot will read and send DMs using the provided API key.
- Use dry-run and limited keys: For payment testing, use the --dry-run option and a testnet wallet with only small amounts. Consider creating a Moltbook API key with minimal permissions if the platform supports it.
- Verify provenance: The SKILL.md links to scoutscore.ai and a GitHub repo, but the package/demo pages include an oddly truncated GitHub CTA (possible mismatch). Try to find the canonical project repo and confirm the publisher before trusting secrets to this code.
If you want, I can list the exact files and lines that require MOLTBOOK_API_KEY and SCOUT_PRIVATE_KEY, or suggest a safe checklist and a sandbox command set to run the scripts with minimal risk.
功能分析
Type: OpenClaw Skill
Name: scout
Version: 1.0.2
The skill bundle is classified as suspicious due to its inherent high-risk capabilities, specifically the handling of a `SCOUT_PRIVATE_KEY` for initiating on-chain USDC transactions via `scripts/safe-pay.js` and `scripts/lib/usdc.js`. While these actions are explicitly aligned with the stated purpose of 'trust-gated USDC payments,' the direct management of private keys and execution of financial transactions constitutes a significant risk. Additionally, the skill performs extensive external network calls to various blockchain explorers (e.g., `api-sepolia.basescan.org`, `api.etherscan.io`) and the Moltbook API (`moltbook.com`) for data collection and analysis, which, though necessary for its functionality, broadens its attack surface. There is no clear evidence of intentional malicious behavior such as unauthorized data exfiltration, persistence, or prompt injection against the OpenClaw agent in the `SKILL.md`.
能力评估
Purpose & Capability
The skill claims to be an 'agent trust intelligence' tool and the code implements Moltbook scoring, graph/on‑chain analysis, DM replying, and trust‑gated USDC payments — these capabilities are coherent with the description. However the registry metadata lists no required environment variables or binaries, while the SKILL.md and the code require a MOLTBOOK_API_KEY (and optionally SCOUT_PRIVATE_KEY for payments) and expect Node/npm to run the scripts. That mismatch between declared metadata and the actual runtime requirements is inconsistent and could mislead users about what secrets and runtime are needed.
Instruction Scope
SKILL.md shows two usage modes: (1) calling the public API at scoutscore.ai (no secrets) and (2) running local Node scripts that call Moltbook endpoints, read/write temporary files (/tmp/*.json), scan feeds, reply to DMs, and perform deep analysis including optional on‑chain wallet analysis. The instructions direct the agent/operator to provide MOLTBOOK_API_KEY and, for payments, a private key. The local scripts will post to Moltbook API endpoints and (if provided) use a wallet key to sign/send USDC. There is no instruction to exfiltrate data to unknown/personal endpoints, but the DM bot will read and send messages using the provided API key — a sensitive action that should be explicitly consented to.
Install Mechanism
There is no formal install spec in the registry (the skill is labelled instruction-only), but the repository contains package.json and package-lock.json with dependencies (ethers, @neondatabase/serverless, etc.). Running the local scripts will require Node and installing npm packages; the metadata did not declare Node or an install step. The npm packages are from the public registry (no suspicious direct downloads), but the absence of an install instruction and missing declared binaries is an inconsistency users should be aware of.
Credentials
The code and SKILL.md require MOLTBOOK_API_KEY for Moltbook access and optionally a SCOUT_PRIVATE_KEY (wallet private key) for making USDC payments. Those credentials are proportionate to the advertised features (scoring, DM replies, and trust‑gated payments). However the registry metadata advertised 'Required env vars: none', which is incorrect. Requesting a raw private key (SCOUT_PRIVATE_KEY) is particularly sensitive — acceptable if the user intends to let the skill sign/send funds, but risky if users provide their primary wallet key without isolating it or using a dedicated payment key.
Persistence & Privilege
The skill is not always-included and doesn't request unusual platform privileges. But several included components (api-server, dm-bot, safe-pay) are capable of autonomous actions when run: the DM bot reads unread messages and posts replies via the Moltbook API; the API server exposes endpoints and would require the API key to operate; safe-pay can sign/send payments if given a private key. Those runtime capabilities increase impact if secrets are provided or the scripts are run in an environment with network access — this is expected functionality but users should be explicit about where and when they run those components.
如何使用
- 确保已安装 OpenClaw(本地或 Docker 部署)
- 在对话框中输入安装命令:
/install scout - 安装完成后,直接呼叫该 Skill 的名称或使用
/scout触发 - 根据 Skill 的参数说明提供必要输入,即可获得结构化输出
版本历史
v1.0.2
Cleaned up: removed duplicate files and unrelated scripts
v1.0.0
Scout 1.0.0 – Agent trust intelligence tools for Moltbook and x402 Bazaar
- Initial release with API and script-based tools to assess and compare agent trustworthiness.
- Provides research-backed scoring across 6 trust dimensions, with explanations.
- Features trust-gated USDC payments, agent feed scanning, and DM response bot for trust reports.
- Detailed documentation on commands, trust levels, and environment variables included.
元数据
常见问题
Scout 是什么?
Agent trust intelligence for Moltbook and x402 Bazaar. Use when you need to check if an agent or service is trustworthy before paying, compare agents side-by-side, scan feeds for quality agents, or make trust-gated USDC payments. Answers the question "should I pay this agent?" with research-backed scoring across 6 dimensions. 它是一个面向 Claude Code / OpenClaw 的 AI Agent Skill 插件,目前累计下载 1342 次。
如何安装 Scout?
在 OpenClaw 或 Claude Code 对话框中运行命令「/install scout」即可一键安装,无需额外配置。
Scout 是免费的吗?
是的,Scout 完全免费(开源免费),可自由下载、安装和使用。
Scout 支持哪些平台?
Scout 跨平台运行,可在任意部署了 OpenClaw / Claude Code 的环境中使用(cross-platform)。
谁开发了 Scout?
由 yaooooooooooooooo(@yaooooooooooooooo)开发并维护,当前版本 v1.0.2。
推荐 Skills