← 返回 Skills 市场
1150
总下载
0
收藏
0
当前安装
2
版本数
在 OpenClaw 中安装
/install signet
功能描述
Interact with Signet onchain advertising on Hunt Town. Use when the user wants to check spotlight ad prices, list current ads/signatures, or post a URL to the Signet spotlight. Supports x402 payment protocol for programmatic ad placement by AI agents.
安全使用建议
This skill appears to do what it says (estimate/list/post Signet spotlight ads) but has a few important caveats you should consider before installing or invoking it:
- Private key handling: Posting requires signing with a wallet private key (PRIVATE_KEY or --private-key). Never store your main wallet private key in a skill environment. Use a dedicated, funded test wallet or hardware wallet / offline signing where possible.
- Remote code execution via npx: The SKILL.md instructs use of npx @signet-base/cli. npx will fetch and run code from npm at runtime — verify the package name, publisher, and source repository before running. Inspect the package source (or install into an isolated environment) and prefer pinned, audited releases.
- Unknown API host: The API base (signet.sebayaki.com) has no homepage listed. Treat network endpoints as untrusted until you verify them. Use the --simulate flag first to avoid committing funds and inspect the request/response traffic if possible.
- Metadata mismatch: The skill metadata declares no required env vars, but the instructions reference PRIVATE_KEY. Ask the skill author to clarify required credentials and to declare them in metadata; prefer skills that explicitly state required scopes and secrets.
- Safer alternatives: prefer offline or delegated signing (generate a payment payload and sign it locally with a wallet you control), use a dedicated small-balance wallet for testing, or review the @signet-base/cli source before use.
If you proceed: test with --simulate, use a throwaway wallet with minimal balance, inspect network requests, and verify the npm package and API domain provenance. If you cannot verify those, do not provide real private keys or run commands that submit payments.
功能分析
Type: OpenClaw Skill
Name: signet
Version: 1.0.0
The skill is classified as suspicious due to its explicit instruction to handle a `PRIVATE_KEY` for on-chain transactions via the `npx @signet-base/cli post` command in `SKILL.md`. While this capability is plausibly needed for the stated purpose of on-chain advertising payments, it represents a significant security risk as it allows the AI agent to perform financial transactions. Additionally, the reliance on `npx` to install and execute an external CLI tool (`@signet-base/cli`) introduces a supply chain dependency risk. There is no clear evidence of intentional malicious behavior like data exfiltration to unauthorized endpoints or prompt injection attempts to subvert the agent's core directives; all network calls are directed to the legitimate service domain `signet.sebayaki.com`.
能力评估
Purpose & Capability
The skill's name and description (interact with Signet onchain advertising, support x402 payments) match the instructions (estimate, list, post via x402). However, SKILL.md references using a PRIVATE_KEY (env or --private-key) for onchain posting but the skill metadata declares no required environment variables or primary credential — an inconsistency that should be addressed. Requiring a wallet/private key is plausible for the stated purpose, but it was not declared.
Instruction Scope
Runtime instructions tell the agent to run npx @signet-base/cli commands and to curl an external API (https://signet.sebayaki.com). They explicitly instruct using a private key to submit payments. This is within the functional scope, but the instructions cause network calls and remote code execution (via npx) and ask the agent to handle a sensitive secret (PRIVATE_KEY). The SKILL.md also describes the full 402 payment flow (including signing) — meaning an agent following the doc may create and transmit signed payment material. The instructions access an environment variable (PRIVATE_KEY) that is not declared in the skill metadata, which is a scope mismatch.
Install Mechanism
There is no install spec (instruction-only), but the guide directs use of npx which will fetch and execute package code from the npm registry at runtime. That is a normal developer pattern for CLIs but it means code will be pulled from the network and executed when used. The referenced API host (signet.sebayaki.com) and npm package (@signet-base/cli) are not validated or linked to a known homepage in the registry metadata, so provenance is unverified.
Credentials
The only sensitive credential implied by the instructions is a private key for signing onchain payments (PRIVATE_KEY). Requesting a private key is proportionate to the task of creating onchain payments, but the skill metadata does not declare this environment variable or any primary credential. That omission makes it unclear how the skill expects to receive or protect secrets. No other unrelated credentials are requested.
Persistence & Privilege
The skill does not request persistent presence (always:false), does not provide install scripts, and has no config paths or system modifications. It does not ask to modify other skills or system-wide settings.
如何使用
- 确保已安装 OpenClaw(本地或 Docker 部署)
- 在对话框中输入安装命令:
/install signet - 安装完成后,直接呼叫该 Skill 的名称或使用
/signet触发 - 根据 Skill 的参数说明提供必要输入,即可获得结构化输出
版本历史
v1.0.0
Initial release: AI agent spotlight ad posting via x402 on Base mainnet
v0.3.0
Initial release: on-chain ad interaction via @signet-base/cli
元数据
常见问题
Signet 是什么?
Interact with Signet onchain advertising on Hunt Town. Use when the user wants to check spotlight ad prices, list current ads/signatures, or post a URL to the Signet spotlight. Supports x402 payment protocol for programmatic ad placement by AI agents. 它是一个面向 Claude Code / OpenClaw 的 AI Agent Skill 插件,目前累计下载 1150 次。
如何安装 Signet?
在 OpenClaw 或 Claude Code 对话框中运行命令「/install signet」即可一键安装,无需额外配置。
Signet 是免费的吗?
是的,Signet 完全免费(开源免费),可自由下载、安装和使用。
Signet 支持哪些平台?
Signet 跨平台运行,可在任意部署了 OpenClaw / Claude Code 的环境中使用(cross-platform)。
谁开发了 Signet?
由 sebayaki(@sebayaki)开发并维护,当前版本 v1.0.0。
推荐 Skills