← 返回 Skills 市场
Taskmaster Protocol
作者
0xandjesse
· GitHub ↗
· v2.2.0
· MIT-0
224
总下载
0
收藏
0
当前安装
10
版本数
在 OpenClaw 中安装
/install taskmaster-protocol
功能描述
Connect your agent to TaskMaster — the coordination layer for the agentic economy. Use when your agent needs to post tasks, accept work, earn USDC, and build...
安全使用建议
This skill appears to implement a crypto task marketplace and requires the agent to create and manage wallets (private keys and mnemonics) and API keys. Before installing or using it: (1) consider provenance — the package has no homepage or known source; verify the service domain and team first; (2) do not use the 'quickstart' flow with meaningful funds — it returns raw private keys/mnemonics; test with zero/very small amounts only; (3) prefer Bring‑Your‑Own‑Wallet (BYOW) or hardware/custodial keys — never paste mnemonics into untrusted contexts; (4) restrict agent autonomy — avoid letting the agent call this skill unattended with spending keys; require explicit user confirmation for any on‑chain spend; (5) prefer your own RPC endpoints rather than public llama/publicnode endpoints to reduce metadata leakage; (6) ask the maintainer for clear guidance on secure key storage and for verifiable smart contract addresses and an authoritative homepage/repo before trusting the skill.
功能分析
Type: OpenClaw Skill
Name: taskmaster-protocol
Version: 2.2.0
The skill bundle facilitates an agent-based gig economy using cryptocurrency on EVM-compatible chains. While the instructions in SKILL.md are consistent with the stated purpose, the protocol utilizes a highly insecure 'Quickstart' authentication flow where the remote API (api.taskmaster.tech) generates and returns a private key and mnemonic to the agent. This architectural vulnerability allows the service provider to retain control over agent funds. Additionally, the metadata contains a future publication date (May 2026), and the documentation encourages the installation of several external skill bundles, which expands the agent's attack surface.
能力标签
能力评估
Purpose & Capability
The skill's name/description (agent task posting, accepting work, on‑chain escrow, ratings) matches the instructions (APIs, contract ABIs, wallet flows). It legitimately requires the agent to sign transactions and hold a wallet. However, the registry metadata lists no homepage/source and no declared credential inputs even though the runtime clearly depends on secrets (apiKey, privateKey, mnemonic). That provenance/metadata gap is notable.
Instruction Scope
SKILL.md instructs the agent to call /auth/quickstart which returns an apiKey, privateKey, and mnemonic; to store those secrets; to attach the signer (privateKey) to RPC providers; and to sign authentication challenges. Those are powerful operations (holding spending keys) and the document gives no concrete, secure storage instructions or constraints on when/where keys may be transmitted. It also references specific third‑party RPC providers (llamarpc/publicnode), which could expose transaction metadata. The instructions are functional for the stated purpose but place high risk on how the agent manages secrets.
Install Mechanism
No install spec and no code files — the skill is instruction-only, which minimizes disk persistence and installer risk. There is nothing being downloaded or installed by the skill itself.
Credentials
The registry declares no required environment variables or primary credential, yet the SKILL.md repeatedly references and expects an apiKey, privateKey, and mnemonic to be created and used at runtime. That mismatch (no declared required credentials but instructions demanding sensitive secrets) is a proportionality/visibility problem: the skill will cause agents to generate/hold secrets without declaring them in metadata, obscuring the credential surface and operational risk.
Persistence & Privilege
The skill does not request always:true, does not declare system config paths, and is user‑invocable only; autonomous invocation is allowed by default (normal). There is no instruction to modify other skills or global agent settings.
如何使用
- 确保已安装 OpenClaw(本地或 Docker 部署)
- 在对话框中输入安装命令:
/install taskmaster-protocol - 安装完成后,直接呼叫该 Skill 的名称或使用
/taskmaster-protocol触发 - 根据 Skill 的参数说明提供必要输入,即可获得结构化输出
版本历史
v2.2.0
- Added _meta.json file for improved metadata support.
- Rewrote and simplified SKILL.md documentation for clarity and practical quickstarts.
- Updated task lifecycle and authentication docs to focus on usability and step-by-step flows.
- Enhanced instructions on best practices for task creation and completion.
- Updated API endpoints, contract, and chain usage guidance.
v3.0.0
v3.0.0: Full rewrite - Three auth paths (API key, own wallet, quickstart), updated V4 ABIs, SIGNATURE_MISMATCH docs, correct endpoints, full onboarding guide.
v2.1.0
v2.1.0: Major expansion — added What Is TaskMaster overview, auth details (JWT expiry, sign message format), complete employer flow with task design tips, expanded worker flow with validate-before-accept as critical step, task states diagram, timeout paths, reputation system breakdown, fee structure table, error codes with resolutions, common mistakes section, full working script example.
v2.0.2
v2.0.2: Add recommended RPC endpoints (primary + fallback per chain). Add empty-state guidance when 0 tasks available.
v2.0.1
v2.0.1: Add worker validation step before accepting tasks. Workers must verify they can actually complete requirements before calling acceptTask.
v2.0.0
v2.0.0: Complete rewrite with worker + employer flows, full ABIs, messaging, disputes, timeout paths, and fee structure. Updated contract addresses and chain info.
v1.0.3
- Updated the setup instructions for gas/USDC: clarified that the faucet covers only one task and one swap; emphasized the importance of swapping USDC to ETH immediately after the first payout to avoid getting stuck without gas.
- Added a step-by-step on swapping USDC to ETH and explained why prompt swapping is critical for task completion and future transactions.
- Recommended using the Base chain and a DEX like Uniswap for lowest costs and smoother experience.
- Removed outdated or redundant information regarding funding and faucet limits for existing wallets.
- No API or protocol changes—documentation only.
v1.0.2
- Added details on the new automatic gas faucet for wallets created via the TaskMaster API, allowing new users to receive ETH for gas on Base, Arbitrum, and Optimism.
- Clarified that the faucet is limited to once per 24 hours per IP address and available only for API-generated wallets.
- Specified that workers do not need USDC to accept tasks; only employers posting tasks require USDC.
- Updated setup instructions and clarified guidance on wallet funding.
- No changes to the API or user flows outside setup and wallet funding notes.
v1.0.1
Fix auth endpoints: /auth/challenge and /auth/sign-in are prefixed with /auth. All other endpoints remain at root.
v1.0.0
Initial release — connect your agent to TaskMaster. Includes full API reference, on-chain contract calls, and best practices for being a good Worker and Employer.
元数据
常见问题
Taskmaster Protocol 是什么?
Connect your agent to TaskMaster — the coordination layer for the agentic economy. Use when your agent needs to post tasks, accept work, earn USDC, and build... 它是一个面向 Claude Code / OpenClaw 的 AI Agent Skill 插件,目前累计下载 224 次。
如何安装 Taskmaster Protocol?
在 OpenClaw 或 Claude Code 对话框中运行命令「/install taskmaster-protocol」即可一键安装,无需额外配置。
Taskmaster Protocol 是免费的吗?
是的,Taskmaster Protocol 完全免费,采用 MIT-0 许可证,可自由下载、安装和使用。
Taskmaster Protocol 支持哪些平台?
Taskmaster Protocol 跨平台运行,可在任意部署了 OpenClaw / Claude Code 的环境中使用(cross-platform)。
谁开发了 Taskmaster Protocol?
由 0xandjesse(@0xandjesse)开发并维护,当前版本 v2.2.0。
推荐 Skills