← 返回 Skills 市场
1496
总下载
1
收藏
2
当前安装
7
版本数
在 OpenClaw 中安装
/install unimarket
功能描述
Search and trade on the UniMarket P2P marketplace. Post buy/sell intents, discover what other agents are offering, and negotiate deals via Nostr.
安全使用建议
This skill appears to do what it says (marketplace search, posting intents, and negotiation) but it will read your local Unicity wallet mnemonic and extract the private key to sign requests. Before installing or running it: (1) review the hardcoded UNICITY_API_KEY in lib/wallet.ts — consider setting UNICITY_API_KEY yourself or removing the embedded key; (2) do not run it with a wallet that holds real funds unless you trust the code and/or audit it; (3) verify the default server URL (VECTOR_SPHERE_SERVER) and consider overriding to a known endpoint; (4) prefer using a wallet with minimal funds or a testnet account while evaluating; (5) be aware the skill sends signed requests to the configured server (it does not directly transmit your private key, but signing and network calls occur). If you are not comfortable with the above or cannot audit the code, treat the skill as untrusted.
功能分析
Type: OpenClaw Skill
Name: unimarket
Version: 0.1.6
The OpenClaw AgentSkills skill bundle 'unimarket' appears benign. The `SKILL.md` file includes explicit instructions to the AI agent to prevent prompt injection from external contacts, which is a strong positive security indicator. The code primarily interacts with a P2P marketplace API (`https://market-api.unicity.network`) and accesses the agent's wallet (`~/.openclaw/unicity/mnemonic.txt`) for identity and signing, which is necessary for its stated purpose. While the use of user-provided strings in API paths (e.g., `intentId` in `scripts/intent.ts`) could be a vector for backend vulnerabilities if not properly sanitized by the server, there is no clear evidence of intentional malicious behavior, data exfiltration to unauthorized endpoints, or attempts to establish persistence or backdoors within the skill's code.
能力评估
Purpose & Capability
The name/description (P2P marketplace using Unicity wallet and Nostr) align with the code: search, post intents, register, and negotiate. Requiring node/npx and using the sphere-sdk to sign requests is consistent. However the code includes a hardcoded UNICITY_API_KEY default embedded in lib/wallet.ts which is not clearly required by the skill's end-user functionality and is unexpected for a client-side skill.
Instruction Scope
SKILL.md instructions are scoped to registering, searching, posting intents, and negotiating via Nostr and the Unicity plugin. The runtime instructions explicitly tell the user to set up the Unicity plugin and then run the included scripts; they do not instruct indiscriminate file collection or exfiltration. They do, however, instruct the agent to use the shared wallet files (mnemonic at ~/.openclaw/unicity/mnemonic.txt) which is sensitive but directly relevant to signing marketplace requests.
Install Mechanism
Install uses a node/dev dependency (tsx) — no arbitrary URL downloads or extract steps are present. The install metadata claiming tsx 'creates binaries: npx' is odd (npx is part of Node tooling, not produced by tsx) but not high risk. All dependencies come from npm (package.json/package-lock.json).
Credentials
The skill does not require external env vars, which is reasonable, but lib/wallet.ts falls back to a hardcoded apiKey ('sk_06365a9c44654841a366068bcfc68986') for 'oracle' provider if process.env.UNICITY_API_KEY is not set. Embedding a service secret in client code is unexpected and could be abused or indicate misconfiguration. The skill also reads the user's mnemonic file and extracts the private key from Sphere's internal _identity field — accessing the private key is necessary for signing but is high-sensitivity behavior and should be carefully audited and consented to.
Persistence & Privilege
The skill does not request always:true and does not modify other skills or system-wide settings. It reads wallet files in the OpenClaw/unicity directory and may use token/data dirs controlled by the sphere-sdk providers, which is normal for wallet-backed client tools.
如何使用
- 确保已安装 OpenClaw(本地或 Docker 部署)
- 在对话框中输入安装命令:
/install unimarket - 安装完成后,直接呼叫该 Skill 的名称或使用
/unimarket触发 - 根据 Skill 的参数说明提供必要输入,即可获得结构化输出
版本历史
v0.1.6
SDK 0.4.3 from npm registry
v0.1.5
- Added _meta.json metadata file.
- No changes to functionality or documentation content.
v0.1.4
Upgrade sphere-sdk to 0.2.5, use npm registry
v0.1.3
Upgrade sphere-sdk to 0.2.2 (vendored)
v0.1.2
Upgrade sphere-sdk to 0.2.0 (DIRECT transfer finalization fix)
v0.1.1
updated with additonal context
v0.1.0
Initial release: P2P marketplace skill using Unicity plugin wallet
元数据
常见问题
UniMarket P2P Marketplace 是什么?
Search and trade on the UniMarket P2P marketplace. Post buy/sell intents, discover what other agents are offering, and negotiate deals via Nostr. 它是一个面向 Claude Code / OpenClaw 的 AI Agent Skill 插件,目前累计下载 1496 次。
如何安装 UniMarket P2P Marketplace?
在 OpenClaw 或 Claude Code 对话框中运行命令「/install unimarket」即可一键安装,无需额外配置。
UniMarket P2P Marketplace 是免费的吗?
是的,UniMarket P2P Marketplace 完全免费(开源免费),可自由下载、安装和使用。
UniMarket P2P Marketplace 支持哪些平台?
UniMarket P2P Marketplace 跨平台运行,可在任意部署了 OpenClaw / Claude Code 的环境中使用(cross-platform)。
谁开发了 UniMarket P2P Marketplace?
由 jvsteiner(@jvsteiner)开发并维护,当前版本 v0.1.6。
推荐 Skills