← 返回 Skills 市场

Upload Clawhub

Name: Upload Clawhub
Author: kledx

作者 kledx · GitHub ↗ · v6.0.5

cross-platform ⚠ suspicious

363

总下载

当前安装

版本数

在 OpenClaw 中安装

/install shll-skills

功能描述

Execute DeFi transactions on BSC via SHLL AgentNFA. The AI handles all commands and users only need to chat.

安全使用建议

Before installing or enabling this skill: - Do not reuse any main/owner/private wallets. If you test, create a dedicated operator wallet with minimal BNB (as the SKILL.md recommends). - Resolve the metadata mismatch: the platform metadata lists no required env vars but SKILL.md requires RUNNER_PRIVATE_KEY. Ask the publisher to correct the registry entry and explain how the key is supplied at runtime. - Never paste your main private key into chat. Prefer ephemeral keys or local environment variables managed by you, not written into persistent agent config files. - The SKILL.md recommends writing RUNNER_PRIVATE_KEY into agent config files (e.g., Claude/Cursor). Avoid storing a private key in plaintext config files — request alternative signing workflows (local signer, hardware wallet, or ephemeral session only) or confirm that the key is encrypted at rest and not uploaded anywhere. - Verify the on-chain contract addresses and review the PolicyGuard contract on BscScan (the SKILL.md gives an address; independently confirm the published source matches expected behavior). - If you plan to install the npm package, audit the package source code (GitHub repo and published tarball) locally before running it; prefer installing in an isolated VM/container. - Ask the developer how the agent receives and stores the RUNNER_PRIVATE_KEY at runtime, whether it performs any network calls with the key, and whether any logs might leak it. - If you are not comfortable with storing or letting an agent handle a private key, do not install the skill. Consider read-only alternatives or strictly manual signing flows. Providing these clarifications and mitigations to the skill author (or withholding enabling the skill until answered) will reduce the risk of accidental key exposure.

功能分析

Type: OpenClaw Skill Name: shll-skills Version: 6.0.5 The bundle provides a DeFi execution toolkit (CLI and MCP) for the BNB Chain, centered around a dual-wallet architecture and on-chain policy enforcement via a 'PolicyGuard' contract. The instructions in SKILL.md and README.md are heavily focused on security, explicitly directing the AI agent to use a restricted 'operator' wallet for gas only, to never handle the user's owner private key, and to require user confirmation for all write operations. While the tool handles a private key (RUNNER_PRIVATE_KEY), this is necessary for its stated purpose, and the bundle includes significant guardrails and documentation to mitigate risk, with no evidence of malicious intent or data exfiltration.

能力评估

ℹ Purpose & Capability

The claimed capability (execute policy-limited DeFi trades on BSC) legitimately requires an operator wallet private key and RPC config; that aligns with the SKILL.md. However, the registry metadata provided to the platform lists no required env vars while the SKILL.md explicitly requires RUNNER_PRIVATE_KEY (and optionally SHLL_RPC). That metadata mismatch is an incoherence that should be resolved before trusting the skill.

⚠ Instruction Scope

SKILL.md instructs agents to automatically set RUNNER_PRIVATE_KEY for the session and to place the key into various agent config files (e.g., Claude and Cursor configs). It instructs the agent not to ask users to edit env vars manually. This expands the agent's scope to reading/writing persistent user config files and handling a highly sensitive secret, which is broader and riskier than a simple tool invocation. The instructions also advise installation via npm and reference executing arbitrary calldata through PolicyGuard (a legit capability but higher-risk if misused).

ℹ Install Mechanism

There is no platform-level install spec, but SKILL.md recommends installing 'shll-skills' from the public npm registry (npm install -g shll-skills). Installing from npm is a common pattern (moderate risk) but since the registry metadata lists no install, the discrepancy should be clarified. The skill does not point to opaque URLs or downloads, which is better than an arbitrary archive URL.

⚠ Credentials

Requesting a single operator private key (RUNNER_PRIVATE_KEY) is proportionate to performing on-chain trades, but the instructions encourage embedding that private key into persistent agent configs and automating its setting — practices that increase exposure. The platform metadata claiming 'none' for required env vars conflicts with the SKILL.md requirement. SHLL_RPC as optional is reasonable.

⚠ Persistence & Privilege

always:false (good), but SKILL.md's guidance to edit agent config files to include RUNNER_PRIVATE_KEY creates persistent storage of a sensitive secret in user-facing config files. The skill's instructions effectively ask for long-lived presence of the private key in agent configurations, which increases blast radius if the key is mishandled. The skill does not declare that it will avoid persisting secrets, and telling the agent to 'set' the key automatically is ambiguous and risky.

如何使用

确保已安装 OpenClaw（本地或 Docker 部署）
在对话框中输入安装命令：/install shll-skills
安装完成后，直接呼叫该 Skill 的名称或使用 /shll-skills 触发
根据 Skill 的参数说明提供必要输入，即可获得结构化输出

版本历史

v6.0.5

Replace rent/rental/renter with subscription/subscriber in all user-facing strings

v6.0.4

Add on-chain enforcement evidence to policy rejection output; enhance SKILL.md with product overview, security architecture diagram, and 4-policy stack documentation

v6.0.3

fix: use SupportingFeeOnTransferTokens for V2 sells, fix DeFi Guard selector compatibility

v6.0.2

Remove direct policy modification; config is now read-only and guides users to web console

v6.0.1

v6.0.1 Major Update: Native Smart Routing for Four.meme tokens! The swap command seamlessly auto-routes to the underlying four_buy/four_sell logic during the bonding curve phase. Fixed PancakeSwap zero-liquidity UX crashes, entirely eliminating AI hallucinations instructing users to "manually wrap BNB".

v6.0.0

v6.0.0: Modular services layer, env/credentials metadata for ClawHub scanner, security warnings for operator key, Four.meme bonding curve support, structured error codes, 30 security fixes.

v5.6.2

v6.0.0: Modular services layer, env/credentials metadata, security warnings for operator key, Four.meme support, structured error codes.

v5.6.1

v6.0.0: Modular services layer, env/credentials metadata, security warnings for operator key, Four.meme support, structured error codes.

v5.6.0

v5.6.0: 30 security fixes, PancakeSwap MEV Guard integration, V2 deadline hardened to 3min, private RPC recommendation.

元数据

Slug shll-skills

版本 6.0.5

许可证 —

累计安装 2

当前安装数 2

历史版本数 9

常见问题

Upload Clawhub 是什么？

Execute DeFi transactions on BSC via SHLL AgentNFA. The AI handles all commands and users only need to chat. 它是一个面向 Claude Code / OpenClaw 的 AI Agent Skill 插件，目前累计下载 363 次。

如何安装 Upload Clawhub？

在 OpenClaw 或 Claude Code 对话框中运行命令「/install shll-skills」即可一键安装，无需额外配置。

Upload Clawhub 是免费的吗？

是的，Upload Clawhub 完全免费（开源免费），可自由下载、安装和使用。

Upload Clawhub 支持哪些平台？

Upload Clawhub 跨平台运行，可在任意部署了 OpenClaw / Claude Code 的环境中使用（cross-platform）。

谁开发了 Upload Clawhub？

由 kledx（@kledx）开发并维护，当前版本 v6.0.5。