← 返回 Skills 市场

StorJ Agent

Name: StorJ Agent
Author: nightcode112

作者 Kay · GitHub ↗ · v2.0.0

linuxdarwinwin32 ⚠ suspicious

462

总下载

当前安装

版本数

在 OpenClaw 中安装

/install storj-agent

功能描述

Autonomous economic agent that earns BTC & SOL by selling storage, compute, and bandwidth. Pays its own hosting, manages subagents, posts tweets, and replica...

安全使用建议

Do NOT run or deploy this skill with real secrets or real funds. Specific concerns and next steps: - Stop: the repo already contains hardcoded API keys, a Supabase key, Storj credentials, and Twitter tokens in source files and twitterdata.txt. Treat those values as compromised. - Do not set your real SOL/BTC wallet or API keys into this process until the code is audited and cleaned. - Fixes required before trusting: remove all hardcoded secrets; use only environment variables as documented; remove any leftover credential files; and rotate any keys that were leaked in these files. - Fix critical bugs: the payment verification function returns (bool, message) but the endpoint treats it as boolean; this logic currently allows bypassing payment checks. Also fix the replay-protection flow (do not mark a signature as used before verifying payment and ensure atomic checks against a durable store). - Audit network endpoints: review Supabase URL/key, OpenRouter endpoint usage, rclone target (storjy:firstbucket) and any access grants. Treat the included SUPABASE_KEY/STORJ_ACCESS/ACCESS_GRANT as compromised and rotate them. - Principle-of-least-privilege: run any further tests in an isolated environment (no real wallets, no production keys), and disable autonomous operation until you can confirm correct verification and security controls. - If you need this functionality, ask the author for a clean release that: uses env vars only, documents exactly which keys are needed, removes embedded test data/base64 dumps, and includes unit tests demonstrating correct payment verification and replay-resistance. If the source/author is unknown or cannot explain these issues, consider this skill untrustworthy.

功能分析

Type: OpenClaw Skill Name: storj-agent Version: 2.0.0 The skill bundle is classified as suspicious due to critical security vulnerabilities. Multiple sensitive API keys and secrets (OpenRouter, Twitter, Supabase, Storj) are hardcoded in `mainapp.py` and `services/tasking.py`, directly violating the `SKILL.md` instruction to use environment variables. More critically, the `upload_file_rclone` function in `services/tasking.py` is vulnerable to shell injection, as it uses unsanitized user-provided `filename` directly in a `subprocess.run` command, allowing arbitrary command execution on the host system. Additionally, `blockchain/blockchain.py` includes a `generate_wallets` function that saves private keys to a local JSON file, marked 'FOR TESTING ONLY', which poses a risk if misused.

能力评估

⚠ Purpose & Capability

The declared purpose (a StorJ autonomous agent selling storage/compute and posting tweets) matches many requested binaries (python3, rclone) and external services (Storj, OpenRouter, Twitter, Supabase). However the code embeds many secrets/constants (Twitter tokens, Supabase key, OpenRouter key, Storj keys, a hardcoded wallet address) instead of using the declared environment variables. The skill asks for environment variables but does not consistently use them (e.g., SOL_WALLET_ADDRESS is declared primary but the code uses a hardcoded YOUR_WALLET). This mismatch is a strong incoherence between stated design and implementation.

⚠ Instruction Scope

SKILL.md and code claim 'never expose keys' and 'verify on-chain payment before delivering service', but the code hardcodes many secrets and the pay_and_upload endpoint exhibits logic bugs: it upserts/saves signatures before verifying payment (and uses an in-memory set poorly), and calls blockchain.verify_sol_payment which returns a (bool, message) tuple while the endpoint treats it as a plain boolean — this pattern will evaluate truthy for both success and failure and effectively allows bypassing payment verification. The endpoint also decodes and writes uploaded base64 files to disk and runs rclone via subprocess; these behaviors are within the skill's claimed scope but the verification and replay-protection flows are implemented incorrectly and dangerously.

ℹ Install Mechanism

There is no install specification (instruction-only in metadata), but the package includes multiple code files and a package.json. No remote downloads or archive extracts are present in the manifest, and the code relies on local binaries (rclone, uvicorn/python). Risk is primarily from running shipped code, not from an installer pulling arbitrary binaries.

⚠ Credentials

The skill declares many required secrets (OpenRouter, Twitter, Supabase, Storj credentials, SOL wallet) — which are plausible for the stated functionality — but the repository already contains hardcoded values for many of those credentials (in mainapp.py, services/tasking.py, and twitterdata.txt). That both contradicts the guidance in SKILL.md and increases the risk of credential leakage or misuse. The primaryEnv (SOL_WALLET_ADDRESS) is declared but not actually used; instead a hardcoded wallet address is used for payments, which is misleading and dangerous.

⚠ Persistence & Privilege

always:false (good), but the skill is allowed to run autonomously and includes code paths that can post to Twitter, call external APIs (OpenRouter, Supabase), and send blockchain transactions. Combined with hardcoded credentials and the broken verification logic, autonomous operation increases the blast radius — the agent could accept uploads without real payment, post tweets from embedded accounts, or use embedded keys to interact with external services without the user's consent.

如何使用

确保已安装 OpenClaw（本地或 Docker 部署）
在对话框中输入安装命令：/install storj-agent
安装完成后，直接呼叫该 Skill 的名称或使用 /storj-agent 触发
根据 Skill 的参数说明提供必要输入，即可获得结构化输出

版本历史

v2.0.0

Major update: Storj-agent 2.0.0 introduces a fully autonomous crypto-earning agent with advanced self-management and economic survival features. - Adds autonomous sales of storage, compute, and bandwidth for BTC & SOL, managing finances, hosting, and subagents independently. - Supports pay-and-upload storage with on-chain SOL payment verification and rclone integration. - Implements autonomous tweet generation and posting with OpenRouter and strict persona/guardrails. - Provides full lifecycle management of subagents, including spawning, evaluation, evolution, and reinvestment. - Introduces wallet management and payment functions for both Bitcoin and Solana chains. - Enforces strict security on env variables, private key secrecy, and operation guardrails.

元数据

Slug storj-agent

版本 2.0.0

许可证 —

累计安装 0

当前安装数 0

历史版本数 1

常见问题

StorJ Agent 是什么？

Autonomous economic agent that earns BTC & SOL by selling storage, compute, and bandwidth. Pays its own hosting, manages subagents, posts tweets, and replica... 它是一个面向 Claude Code / OpenClaw 的 AI Agent Skill 插件，目前累计下载 462 次。

如何安装 StorJ Agent？

在 OpenClaw 或 Claude Code 对话框中运行命令「/install storj-agent」即可一键安装，无需额外配置。

StorJ Agent 是免费的吗？

是的，StorJ Agent 完全免费（开源免费），可自由下载、安装和使用。

StorJ Agent 支持哪些平台？

StorJ Agent 跨平台运行，可在任意部署了 OpenClaw / Claude Code 的环境中使用（linux, darwin, win32）。

谁开发了 StorJ Agent？

由 Kay（@nightcode112）开发并维护，当前版本 v2.0.0。