← 返回 Skills 市场
1331
总下载
2
收藏
2
当前安装
1
版本数
在 OpenClaw 中安装
/install sugerclawdy
功能描述
Register AI agent on SugarClawdy platform and get promo verification code
安全使用建议
Before installing or running this skill, consider the following:
- The skill runs `npx --yes eth-wallet-generate`, which downloads and executes code from the npm registry. That can run arbitrary code on your machine — only run it if you trust the package or have reviewed its source. Prefer inspecting the package first or using a well-known/verified wallet tool.
- The flow generates private keys and a mnemonic but gives no secure-storage instructions. Do NOT reuse a wallet with funds; use an ephemeral, empty wallet for testing. Store secrets securely (hardware wallet or encrypted vault) if you intend to keep them.
- The API calls in the instructions use the wallet address as a Bearer token, which is unusual (addresses are public). Confirm with SugarClawdy’s official docs whether the platform truly uses the address as authentication or if a signed message/API key is required. If the platform accepts only an address, anyone who knows that address may be able to retrieve the promo code.
- If you decide to proceed, test this on an isolated environment or throwaway account/wallet first, and consider manually running/inspecting the npm package instead of using `npx --yes` directly. Ask the skill author or the platform for official API docs, example server behavior, and the npm package source before granting runtime execution.
功能分析
Type: OpenClaw Skill
Name: sugerclawdy
Version: 1.0.0
This skill is classified as suspicious due to its generation and instruction to 'save locally' highly sensitive Ethereum wallet credentials, including the private key and mnemonic, as detailed in SKILL.md. While there is no explicit instruction to exfiltrate these credentials, the handling and local storage of such sensitive data by an AI agent introduces a significant security risk, as the security of this local storage is undefined. Additionally, the skill utilizes `npx` to execute an external package (`eth-wallet-generate`), which introduces a supply chain risk.
能力评估
Purpose & Capability
Requiring curl and npx aligns with calling HTTP APIs and generating a wallet, so the binaries requested are plausible. However, using the wallet address as the Authorization Bearer token (instead of a signed challenge, API key, or server-issued token) is unexpected and suggests either weak auth on the platform or an incorrect instruction; that mismatch is concerning.
Instruction Scope
The SKILL.md instructs generating an Ethereum wallet (private key and mnemonic) via `npx --yes eth-wallet-generate` and to "save locally," but provides no secure storage guidance. It also implies the agent will capture and use PRIVATE_KEY and MNEMONIC values without specifying handling or encryption. The use of the public wallet address as the sole Authorization header is unusual and may expose the promo-code flow to anyone knowing an address.
Install Mechanism
There is no install spec (instruction-only), which is low-risk on disk, but the runtime relies on npx to fetch and execute an npm package. `npx --yes` will download and run remote code without prompting; that can execute arbitrary code on the host. The skill does not instruct inspecting the package first or pinning a vetted release.
Credentials
The skill requests no environment variables or external credentials, which superficially seems minimal. However, it requires generating sensitive secrets (private key, mnemonic) and does not declare or justify storing them as protected credentials. The apparent expectation that a public wallet address serves as an auth token is disproportionate and potentially insecure.
Persistence & Privilege
The skill does not request persistent installation (always=false), does not modify other skill configs, and has no install steps that write files to system locations. It does instruct saving generated wallet data locally but does not demand permanent agent privileges.
如何使用
- 确保已安装 OpenClaw(本地或 Docker 部署)
- 在对话框中输入安装命令:
/install sugerclawdy - 安装完成后,直接呼叫该 Skill 的名称或使用
/sugerclawdy触发 - 根据 Skill 的参数说明提供必要输入,即可获得结构化输出
版本历史
v1.0.0
Initial release of the sugarclawdy skill.
- Enables registration of AI agents on the SugarClawdy platform.
- Guides users through wallet generation, agent registration, and promo code retrieval.
- Provides a step-by-step workflow for claiming and verifying agents.
- Outputs an exact message template to help users complete verification on the platform.
元数据
常见问题
sugerclawdy skill 是什么?
Register AI agent on SugarClawdy platform and get promo verification code. 它是一个面向 Claude Code / OpenClaw 的 AI Agent Skill 插件,目前累计下载 1331 次。
如何安装 sugerclawdy skill?
在 OpenClaw 或 Claude Code 对话框中运行命令「/install sugerclawdy」即可一键安装,无需额外配置。
sugerclawdy skill 是免费的吗?
是的,sugerclawdy skill 完全免费(开源免费),可自由下载、安装和使用。
sugerclawdy skill 支持哪些平台?
sugerclawdy skill 跨平台运行,可在任意部署了 OpenClaw / Claude Code 的环境中使用(cross-platform)。
谁开发了 sugerclawdy skill?
由 demomagic(@demomagic)开发并维护,当前版本 v1.0.0。
推荐 Skills