← 返回 Skills 市场
381
总下载
0
收藏
0
当前安装
1
版本数
在 OpenClaw 中安装
/install suiroll
功能描述
Provably fair giveaway tool for AI agents on Sui with VRF and Moltbook auth.
安全使用建议
This skill will ask for and use your Sui private key to sign on-chain transactions and will call Moltbook APIs using your Moltbook API key. It will also save Moltbook session data (including API keys) under ~/.config/suiroll/moltbook-session.json. Before installing: (1) verify the skill's source and author — the registry metadata contradicts the runtime instructions (metadata claims no required env vars but the code requires SUI_PRIVATE_KEY, MOLTBOOK_API_KEY and MOLTBOOK_APP_KEY); (2) prefer testing on testnet and with a throwaway Sui key (do not use a high-value wallet); (3) avoid setting high-privilege/developer keys globally (MOLTBOOK_APP_KEY appears to be an app-level key and is unusual for end-users); (4) review package.json and the included code locally to confirm behavior; (5) consider running the CLI inside a disposable environment (VM/container) if you must provide real credentials; and (6) rotate any keys you expose during testing. If the publisher cannot explain why MOLTBOOK_APP_KEY is required or fix the registry metadata, treat the mismatch as a red flag.
功能分析
Type: OpenClaw Skill
Name: suiroll
Version: 1.0.0
The skill is classified as suspicious due to several vulnerabilities related to OpenClaw's permission model, rather than clear malicious intent. Specifically, the `package.json` declares network permissions only for `api.sui.io` and `*.sui.io`, but the code in `src/utils/moltbook.ts` makes HTTP requests to `https://www.moltbook.com/api/v1`. Additionally, the skill attempts to save Moltbook session data to `~/.config/suiroll/moltbook-session.json` (as defined in `src/config.ts` and used in `src/commands/enter.ts`), which is outside the explicitly declared filesystem permission scope of `~/.openclaw/suiroll/` in `package.json`. These discrepancies indicate potential unauthorized network and filesystem access if OpenClaw enforces strict permissions, posing a vulnerability. There is no evidence of intentional data exfiltration, persistence, or prompt injection with malicious objectives.
能力评估
Purpose & Capability
The skill's purpose (Sui lotteries with Moltbook agent auth) legitimately requires a Sui signing key and Moltbook API integration; the included code implements that (SUI_PRIVATE_KEY, Moltbook flows, Sui SDK usage). However the registry metadata declares no required env vars or config paths while SKILL.md, README and the code clearly require SUI_PRIVATE_KEY, MOLTBOOK_API_KEY and (in practice) MOLTBOOK_APP_KEY — this metadata mismatch is an inconsistency that should be resolved.
Instruction Scope
SKILL.md and the shipped code instruct the agent/user to export a private Sui key and Moltbook API keys and then run CLI commands that will sign on-chain transactions with the provided key. The enter flow interactively prompts for and saves Moltbook API keys; code reads/writes ~/.config/suiroll/moltbook-session.json and may reference ~/.config/moltbook/credentials.json. These instructions read and persist secrets and perform network calls (Sui RPC, Moltbook API) — all expected for this functionality, but they expand scope beyond simple read-only verification and involve signing transactions and storing API keys locally.
Install Mechanism
There is no external download/install spec in the registry (the skill bundle includes source and built JS). No remote extract or URL-based installer is used. The package depends on @mysten/sui SDK and standard npm modules (expected for Sui integration). No suspicious remote install sources were observed in the provided manifest.
Credentials
The skill requires highly sensitive secrets (SUI_PRIVATE_KEY to sign/custody funds, MOLTBOOK_API_KEY to mint identity tokens, and MOLTBOOK_APP_KEY which the code requires for verifying identity tokens). SUI_PRIVATE_KEY and MOLTBOOK_API_KEY are directly related to the stated purpose; however the need for MOLTBOOK_APP_KEY (an application developer key) is unusual for an end-user CLI and may be over-broad or mis-specified. Additionally, the registry metadata lists no required env vars despite these real requirements.
Persistence & Privilege
The tool saves Moltbook session data (including the Moltbook API key returned from interactive login or the env var) to ~/.config/suiroll/moltbook-session.json. The skill does not request always:true or claim system-wide privilege, and it doesn't appear to alter other skills. Persisting user API keys to disk is normal for CLI convenience but increases the attack surface (local secret leakage) and should be disclosed/understood by the user.
如何使用
- 确保已安装 OpenClaw(本地或 Docker 部署)
- 在对话框中输入安装命令:
/install suiroll - 安装完成后,直接呼叫该 Skill 的名称或使用
/suiroll触发 - 根据 Skill 的参数说明提供必要输入,即可获得结构化输出
版本历史
v1.0.0
Initial release
元数据
常见问题
SUIROLL 是什么?
Provably fair giveaway tool for AI agents on Sui with VRF and Moltbook auth. 它是一个面向 Claude Code / OpenClaw 的 AI Agent Skill 插件,目前累计下载 381 次。
如何安装 SUIROLL?
在 OpenClaw 或 Claude Code 对话框中运行命令「/install suiroll」即可一键安装,无需额外配置。
SUIROLL 是免费的吗?
是的,SUIROLL 完全免费(开源免费),可自由下载、安装和使用。
SUIROLL 支持哪些平台?
SUIROLL 跨平台运行,可在任意部署了 OpenClaw / Claude Code 的环境中使用(cross-platform)。
谁开发了 SUIROLL?
由 abdhilabs(@abdhilabs)开发并维护,当前版本 v1.0.0。
推荐 Skills