← 返回 Skills 市场
jvsteiner

Uniclaw Skill

作者 jvsteiner · GitHub ↗ · v0.1.19
cross-platform ⚠ suspicious
623
总下载
0
收藏
0
当前安装
2
版本数
在 OpenClaw 中安装
/install uniclaw-skill
功能描述
Trade on UniClaw prediction markets. Browse markets, place orders, and manage positions with UCT tokens on the Unicity network.
安全使用建议
This skill will read your Unicity wallet files (mnemonic.txt) and extract the raw private key (via an internal _identity field) to sign requests to an external UniClaw server (default https://api.uniclaw.app). It also includes a hard-coded UNICITY_API_KEY in the code. Before installing: 1) Do NOT point this at a wallet that holds real funds; test with a throwaway/testnet wallet only. 2) Inspect or remove the hard-coded UNICITY_API_KEY or set UNICITY_API_KEY explicitly in your environment if you understand its use. 3) If you don't trust api.uniclaw.app, set UNICLAW_SERVER to a server you control (or audit the remote server endpoints) — the server will accept signed requests generated from your key. 4) Consider running the skill in an isolated environment (container or VM) and reviewing the Sphere SDK usage — accessing (sphere as any)._identity to read privateKey is fragile and risky. If you are uncomfortable exposing your private key or cannot audit the remote server, do not install or use this skill.
功能分析
Type: OpenClaw Skill Name: uniclaw-skill Version: 0.1.19 The skill is classified as 'suspicious' primarily due to a hardcoded API key (`sk_06365a9c44654841a366068bcfc68986`) found in `lib/wallet.ts`. While this key is used for an 'oracle' within the `@unicitylabs/sphere-sdk` and not directly for user funds or exfiltration, hardcoding any API key is a significant security vulnerability as it exposes a credential that might be intended to be secret or unique per deployment. Additionally, the skill accesses the private key from the `sphere` object's internal `_identity` field in `lib/wallet.ts` for signing requests, which is a sensitive operation, though necessary for the skill's stated purpose and relies on the OpenClaw platform's secure handling of the mnemonic. No evidence of prompt injection, data exfiltration to unauthorized endpoints, or persistence mechanisms was found.
能力评估
Purpose & Capability
Name/description match the code: scripts list markets, place orders, deposit/withdraw and use a Unicity wallet. However the implementation extracts the wallet mnemonic/private key from the Unicity data directory and accesses a hard-coded UNICITY_API_KEY by default — the key is unrelated to the simple act of placing signed market orders and is unexpected.
Instruction Scope
SKILL.md says the skill will use the shared Unicity wallet for identity/signing (true), but the runtime code explicitly reads ~/.openclaw/unicity/mnemonic.txt and accesses the Sphere SDK internal _identity.privateKey to obtain the raw private key. The documentation does not clearly warn that the skill will extract and use the raw private key and send signed requests to an external server (default https://api.uniclaw.app).
Install Mechanism
Install is a standard node dev dependency (tsx) via the package.json/package-lock; no arbitrary URL downloads or installers. Requiring npx/node is proportional to running the included TypeScript scripts.
Credentials
The skill declares no required env vars but will read wallet files by default. Critically, lib/wallet.ts supplies a default oracle API key (UNICITY_API_KEY) embedded in the source: 'sk_06365a9c44654841a366068bcfc68986'. An embedded secret in the code is unexpected and unexplained for the stated purpose and increases risk. The skill also contacts an external server (config.serverUrl defaulting to api.uniclaw.app) which the user must trust because signed requests (derived from their private key) will be sent there.
Persistence & Privilege
No always:true flag, no system-wide config modifications, and no declared persistent privileges. The skill runs on demand and does not request elevated platform privileges beyond filesystem reads of the Unicity wallet directory.
如何使用
  1. 确保已安装 OpenClaw(本地或 Docker 部署)
  2. 在对话框中输入安装命令:/install uniclaw-skill
  3. 安装完成后,直接呼叫该 Skill 的名称或使用 /uniclaw-skill 触发
  4. 根据 Skill 的参数说明提供必要输入,即可获得结构化输出
版本历史
v0.1.19
Update sphere-sdk to 0.4.7
v0.1.18
Update sphere-sdk to 0.4.7
元数据
Slug uniclaw-skill
版本 0.1.19
许可证
累计安装 0
当前安装数 0
历史版本数 2
常见问题

Uniclaw Skill 是什么?

Trade on UniClaw prediction markets. Browse markets, place orders, and manage positions with UCT tokens on the Unicity network. 它是一个面向 Claude Code / OpenClaw 的 AI Agent Skill 插件,目前累计下载 623 次。

如何安装 Uniclaw Skill?

在 OpenClaw 或 Claude Code 对话框中运行命令「/install uniclaw-skill」即可一键安装,无需额外配置。

Uniclaw Skill 是免费的吗?

是的,Uniclaw Skill 完全免费(开源免费),可自由下载、安装和使用。

Uniclaw Skill 支持哪些平台?

Uniclaw Skill 跨平台运行,可在任意部署了 OpenClaw / Claude Code 的环境中使用(cross-platform)。

谁开发了 Uniclaw Skill?

由 jvsteiner(@jvsteiner)开发并维护,当前版本 v0.1.19。

推荐 Skills
self-improving agent
Captures learnings, errors, and corrections to enable continuous improvement. Use when: (1) A command or operation fails unexpectedly, (2) User corrects Clau...
⬇ 463283 · by pskoett
Skill Vetter
Security-first skill vetting for AI agents. Use before installing any skill from ClawdHub, GitHub, or other sources. Checks for red flags, permission scope, and suspicious patterns.
⬇ 259410 · by spclaudehome
Polymarket
Query Polymarket prediction markets. Check odds, find trending markets, search events, track price movements.
⬇ 232503 · by joelchance
Self-Improving + Proactive Agent
Self-reflection + Self-criticism + Self-learning + Self-organizing memory. Agent evaluates its own work, catches mistakes, and improves permanently. Use when...
⬇ 200423 · by ivangdavila
Github
Interact with GitHub using the `gh` CLI. Use `gh issue`, `gh pr`, `gh run`, and `gh api` for issues, PRs, CI runs, and advanced queries.
⬇ 191115 · by steipete
ontology
Typed knowledge graph for structured agent memory and composable skills. Use when creating/querying entities (Person, Project, Task, Event, Document), linkin...
⬇ 190156 · by oswalpalash

💬 留言讨论