← 返回 Skills 市场

Sagb

Name: Sagb
Author: ramyonsn

作者 ramyonsn · GitHub ↗ · v2.0.0

cross-platform ⚠ suspicious

1885

总下载

当前安装

版本数

在 OpenClaw 中安装

/install testing-sagb

功能描述

Bags - The Solana launchpad for humans and AI agents. Authenticate, manage wallets, claim fees, trade tokens, and launch tokens for yourself, other agents, or humans.

安全使用建议

What to consider before installing: - Trust and provenance: bags.fm is the declared homepage, but the package is instruction-only and will curl code from that domain. Only install if you trust bags.fm and can verify the site and its content (e.g., via HTTPS certificate, domain ownership, or developer reputation). - Private keys: the skill's workflows export private keys via the Bags agent API and store them (even temporarily) on disk; this is necessary for automated signing but risky. Prefer local signing with hardware wallets or an offline signer. If you must use this skill, avoid exporting long-term private keys; rotate keys after use and minimize key lifetime. - Auto-update and code execution: the heartbeat silently downloads and overwrites skill files from https://bags.fm. That allows remote code changes to take effect without your approval. If you install, disable or review the heartbeat auto-update steps, and only update after reviewing remote changes. Never allow unverified scripts to run automatically. - Undeclared dependencies & credentials: SKILL.md expects node/npm, base58, solana CLI, and a Moltbook API key (for posting verification) but these are not declared in registry metadata. Confirm you have safe, official sources for those tools (e.g., official Solana releases) and do not use unfamiliar installers (the doc references an unusual Solana install URL). - Run in isolation for testing: if you want to try it, run the skill in an isolated environment (VM or container) with throwaway keys and minimal funds. Inspect sign-transaction.js and any downloaded package.json before running npm install. Consider creating dedicated API keys with narrow scope and low balance. - What would reduce concern: registry metadata that lists required env vars and binaries accurately; signed releases or checksums for downloaded files; removal or opt-in of silent auto-update; and explicit guidance for hardware/local signing instead of exporting private keys. If you cannot verify the origin and content of bags.fm, or you are uncomfortable with private keys being exported and with silent remote updates, do not install this skill.

功能分析

Type: OpenClaw Skill Name: testing-sagb Version: 2.0.0 This skill is classified as suspicious due to its inherent high-risk capabilities, despite explicit security warnings and alignment with its stated purpose. Key indicators include the programmatic export and use of private keys for signing Solana transactions (`fees.md`, `launch.md`, `trading.md`, `wallets.md`), which, while necessary for a DeFi skill, represents a significant risk if not handled perfectly. Additionally, the skill includes a self-update mechanism (`heartbeat.md`) that downloads and overwrites its own files from `https://bags.fm`, posing a supply chain risk if the remote server were compromised. The authentication process also requires handling a Moltbook API key (`auth.md`), another sensitive credential.

能力评估

ℹ Purpose & Capability

The name/description (Solana launchpad: authenticate, manage wallets, claim fees, trade, launch) align with the SKILL.md instructions. However metadata and manifests are inconsistent: registry 'requires.env' is empty while the docs expect JWTs, API keys, private keys and a Moltbook API key. skill.json lists required binaries (curl, jq, bc) but the instructions also require node/npm, base58, solana CLI and other tools not declared. These omissions are sloppy and reduce transparency.

⚠ Instruction Scope

The SKILL.md and included files instruct the agent to: read/write ~/.config/bags/credentials.json (storing JWT/API key/wallets), call agent API endpoints that return private keys, export private keys and sign transactions locally, create and run a Node signing script, poll RPC servers, and perform a 'heartbeat' that silently updates skill files by curling content from bags.fm. While most actions are plausible for a wallet/launchpad tool, the combination of exporting private keys and automatic, silent remote updates expands scope beyond normal helper behavior and could be abused if the remote site is compromised.

⚠ Install Mechanism

There is no formal install spec (instruction-only), but the docs tell users to curl files from https://bags.fm into ~/.bags/skills and later the heartbeat will re-curl and silently overwrite those files. The skill also recommends installing a Solana CLI from an unusual URL (release.anza.xyz) and to run npm install in ~/.config/bags. Downloading and executing code from an external site without integrity/signature checks is a high-risk pattern.

⚠ Credentials

The skill legitimately needs a JWT, a Bags API key, and the wallet private key to sign/submit transactions. However: (1) those credentials are not declared in the registry metadata (it listed none), (2) the flow requires a Moltbook API key (to post verification) which is an additional, undeclared external credential, and (3) the skill instructs exporting private keys via the Bags API — storing and programmatically handling private keys is necessary for signing but inherently sensitive and should be minimized and clearly justified. The number and sensitivity of secrets is high relative to an instruction-only skill.

⚠ Persistence & Privilege

The skill writes persistent files under the user's home (~/.config/bags, ~/.bags/skills, ~/.config/bags/keypair.json) and provides a heartbeat that runs periodically and silently updates skill files from the network. Although always:false (not force-installed), the silent auto-update behavior and filesystem writes give the skill persistent influence over the agent environment and increase the blast radius if the remote content is malicious or compromised.

如何使用

确保已安装 OpenClaw（本地或 Docker 部署）
在对话框中输入安装命令：/install testing-sagb
安装完成后，直接呼叫该 Skill 的名称或使用 /testing-sagb 触发
根据 Skill 的参数说明提供必要输入，即可获得结构化输出

版本历史

v2.0.0

- No changes detected in this release; version bumped without file modifications. - All SKILL.md content and related files remain unchanged from the previous version.

v1.0.1

- Removed two files: scripts/package.json and scripts/sign-transaction.js. - Project scripts related to packaging and transaction signing are no longer included in this version.

v1.0.0

Bags v1.0.0 initial release: - Solana launchpad for humans and AI agents: authenticate, manage wallets, claim fees, trade, and launch tokens. - Launch tokens and share fees with AI agents, collaborators, or any user. - Detailed REST API: endpoints for authentication, wallet management, trading, fee claiming, and token launches. - Fee sharing configurable across agents and humans, supporting multiple identity providers (Moltbook, Twitter, GitHub). - Easy setup guides and local installation instructions provided in documentation.

元数据

Slug testing-sagb

版本 2.0.0

许可证 —

累计安装 0

当前安装数 0

历史版本数 3

常见问题

Sagb 是什么？

Bags - The Solana launchpad for humans and AI agents. Authenticate, manage wallets, claim fees, trade tokens, and launch tokens for yourself, other agents, or humans. 它是一个面向 Claude Code / OpenClaw 的 AI Agent Skill 插件，目前累计下载 1885 次。

如何安装 Sagb？

在 OpenClaw 或 Claude Code 对话框中运行命令「/install testing-sagb」即可一键安装，无需额外配置。

Sagb 是免费的吗？

是的，Sagb 完全免费（开源免费），可自由下载、安装和使用。

Sagb 支持哪些平台？

Sagb 跨平台运行，可在任意部署了 OpenClaw / Claude Code 的环境中使用（cross-platform）。

谁开发了 Sagb？

由 ramyonsn（@ramyonsn）开发并维护，当前版本 v2.0.0。