← 返回 Skills 市场
Warren - On-Chain Website Deploy
作者
planetai87
· GitHub ↗
· v1.0.2
2086
总下载
0
收藏
0
当前安装
3
版本数
在 OpenClaw 中安装
/install warren-deploy
功能描述
Deploy websites and files permanently on MegaETH blockchain. AI agents stress test the network by deploying HTML on-chain using SSTORE2 bytecode storage. Agents pay their own gas.
安全使用建议
This skill appears to implement what it says (deploying immutable content to the MegaETH testnet), but there are important cautions: 1) It requires a wallet private key to sign and pay transactions, yet the skill metadata does not declare this — treat that omission as a red flag. 2) Run it only with a throwaway/test wallet that holds no mainnet or valuable funds; stress-test loops can perform many transactions and drain balances. 3) Inspect deploy.js (you have the file) for any network calls you don't expect (it mostly uses the RPC and on-chain contracts, but confirm there are no hidden exfil endpoints). 4) The SKILL.md triggered a base64/prompt-injection pattern — review that block to confirm it's just bytecode/ABI and not an instruction to leak secrets. 5) If you plan to enable autonomous invocation, restrict or monitor it: disable automated stress loops or require user confirmation before each batch. If you want higher confidence, ask the author for explicit required env declarations (PRIVATE_KEY, intent for autonomous runs), an author/homepage, and a security review of deploy.js; otherwise treat this as testnet-only tooling and use ephemeral wallets.
功能分析
Type: OpenClaw Skill
Name: warren-deploy
Version: 1.0.2
The skill is classified as suspicious due to its requirement for and direct handling of a user-provided private key for blockchain transactions in `deploy.js`, and an explicit outbound network call via `curl` to `https://megawarren.xyz/api/stress-test/leaderboard` in `SKILL.md`. While these actions are plausibly aligned with the stated purpose of deploying to a testnet blockchain and stress testing, they represent high-risk capabilities (credential handling and external network access) that could be leveraged maliciously if the intent were different. There is no clear evidence of intentional harmful behavior like credential theft or unauthorized data exfiltration beyond the stated purpose.
能力评估
Purpose & Capability
The skill is a Node-based on-chain deployer and includes deploy.js/setup.sh that legitimately need node and an RPC/private key to sign txs. However the registry metadata lists no required environment variables or primary credential even though the runtime explicitly requires a wallet private key (PRIVATE_KEY) to pay gas and sign transactions. That omission is an incoherence between stated requirements and actual needs.
Instruction Scope
SKILL.md gives explicit commands to create wallets, set PRIVATE_KEY, run batch/stress deploy loops, and call a faucet; these are within the deployer purpose. However the provided stress-test workflows (for loops, batch deploys, sleeps) can cause repeated on-chain transactions that spend user funds. The SKILL.md also contains content that triggered a prompt-injection/base64-block pattern — this should be reviewed (may be a false positive from embedded bytecode, but it's flagged).
Install Mechanism
No remote download/install spec is declared; setup.sh simply runs npm init && npm install ethers locally. This is standard and low risk compared with arbitrary downloads or extract-from-URL installers.
Credentials
The runtime requires a sensitive secret (wallet PRIVATE_KEY or --private-key) to operate, but the skill metadata does not declare required env vars or a primary credential. Requesting/using a private key is proportionate to on-chain deployment, but the missing declaration is an important transparency gap. Optional env overrides (RPC_URL, CHAIN_ID, addresses) are reasonable.
Persistence & Privilege
always:false and no system-wide modifications are requested. The skill does not ask to persist or modify other skills. Note: because the skill can be invoked autonomously (normal default), an agent could run batch/stress workflows that spend the user's ETH — review invocation policies and limitations before allowing autonomous runs.
如何使用
- 确保已安装 OpenClaw(本地或 Docker 部署)
- 在对话框中输入安装命令:
/install warren-deploy - 安装完成后,直接呼叫该 Skill 的名称或使用
/warren-deploy触发 - 根据 Skill 的参数说明提供必要输入,即可获得结构化输出
版本历史
v1.0.2
Dynamic gas estimation (MegaETH multidimensional model), 15KB chunk size for large file support, 10M gas floor
v1.0.1
Self-contained skill: inline ABI/bytecode (no git clone needed), fix faucet URL to docs.megaeth.com/faucet, add setup.sh for one-click install
v1.0.0
Initial release: direct on-chain deployment to MegaETH testnet with SSTORE2 storage
元数据
常见问题
Warren - On-Chain Website Deploy 是什么?
Deploy websites and files permanently on MegaETH blockchain. AI agents stress test the network by deploying HTML on-chain using SSTORE2 bytecode storage. Agents pay their own gas. 它是一个面向 Claude Code / OpenClaw 的 AI Agent Skill 插件,目前累计下载 2086 次。
如何安装 Warren - On-Chain Website Deploy?
在 OpenClaw 或 Claude Code 对话框中运行命令「/install warren-deploy」即可一键安装,无需额外配置。
Warren - On-Chain Website Deploy 是免费的吗?
是的,Warren - On-Chain Website Deploy 完全免费(开源免费),可自由下载、安装和使用。
Warren - On-Chain Website Deploy 支持哪些平台?
Warren - On-Chain Website Deploy 跨平台运行,可在任意部署了 OpenClaw / Claude Code 的环境中使用(cross-platform)。
谁开发了 Warren - On-Chain Website Deploy?
由 planetai87(@planetai87)开发并维护,当前版本 v1.0.2。
推荐 Skills