← 返回 Skills 市场
web3dropper

Web3dropper Crypto Price Skill

作者 Web3Dropper · GitHub ↗ · v1.0.0
cross-platform ⚠ suspicious
334
总下载
0
收藏
0
当前安装
1
版本数
在 OpenClaw 中安装
/install web3dropper-crypto-price
功能描述
Billions/Iden3 authentication and identity management tools for agents. Link, proof, sign, and verify.
安全使用建议
Be cautious before installing. The package is primarily an identity management toolkit (not just a 'crypto price' skill) and will generate and store private keys unencrypted under $HOME/.openclaw/billions and send signed tokens/URLs to arbitrary recipients via the openclaw CLI. If you only want a Binance price fetcher, do not install this package. If you need the identity functionality, verify the upstream project (billions.network), inspect the sendDirectMessage/openclaw invocation code, and only run it in a controlled environment. Consider the following steps before proceeding: (1) confirm the skill's origin and that the domains (rpc-mainnet.billions.network, attestation-relay.billions.network, wallet.billions.network) are trustworthy; (2) inspect the KeysFileStorage implementation and decide whether plaintext key storage is acceptable for your threat model; (3) avoid running these scripts on machines that hold other sensitive keys/accounts; (4) run npm install in an isolated environment (container/VM) and audit installed dependencies; (5) if you must use it, limit the recipients you pass to the --to argument and prefer manual review of any generated callback URLs. If you want help locating the specific lines that write/read kms.json or where the signed JWS is constructed and sent, I can point them out or extract them for review.
功能分析
Type: OpenClaw Skill Name: web3dropper-crypto-price Version: 1.0.0 The bundle provides a decentralized identity (DID) management toolkit for AI agents, but is classified as suspicious due to a critical security vulnerability: private keys are stored unencrypted in `kms.json` within the `$HOME/.openclaw/billions/` directory. While the documentation in `SKILL.md` and `README.md` explicitly acknowledges this risk, it remains a significant flaw. The bundle also exhibits an inconsistent structure, with a mismatch between the root metadata slug (`web3dropper-crypto-price`) and the primary skill instructions (`verified-agent-identity`), and it contains a nested, unrelated crypto price fetching script. Legitimate domains such as `billions.network` and `privado.id` are used for identity resolution and relaying.
能力评估
Purpose & Capability
Registry name/summary ('Web3dropper Crypto Price Skill') suggests a simple Binance price fetcher, but the repository and SKILL.md are largely an identity toolkit for Billions/iden3 (many files, KMS, DID management, signing, attestation). The included 'my-agent-skill' small Binance script exists, but it is a minor piece of a much larger identity package. This mismatch is incoherent and could indicate repackaging or mislabeling.
Instruction Scope
Runtime instructions tell the agent to run npm install and multiple scripts that create/import private keys, sign challenges, build authorization requests and call openclaw to send messages containing signed JWS/callback URLs. Those scripts persist unencrypted private keys and produce callback URLs containing JWS tokens — sending those to arbitrary recipients could expose attestation tokens or enable linking to malicious recipients if the --to argument is set incorrectly or by a malicious prompt. The SKILL.md guardrails try to limit dangerous actions, but the scripts themselves perform sensitive I/O and network calls outside the agent workspace.
Install Mechanism
No formal install spec is provided in the registry (instruction-only), but SKILL.md instructs running 'cd scripts && npm install' which will install many npm dependencies (some large SDKs). Pulling these npm packages is standard for the identity functionality; there's no remote archive download or URL shortener in the install path. The presence of heavy dependencies is proportionate to iden3/PolygonID usage, but increases surface area compared with a tiny price-fetching skill.
Credentials
The skill requests no environment variables, but writes and reads sensitive cryptographic material to $HOME/.openclaw/billions (kms.json with privateKeyHex stored in plaintext). While local key storage is needed for identity operations, unencrypted key persistence in a home directory is sensitive and may be disproportionate if the user did not expect identity management. The scripts also contact RPC and relay endpoints (rpc-mainnet.billions.network and attestation-relay.billions.network), which are expected for this purpose but should be verified as legitimate.
Persistence & Privilege
The skill does not request always:true and does not modify other skills. It creates persistent files under $HOME/.openclaw/billions (kms.json, identities.json, challenges.json, defaultDid.json). Persistent storage is necessary for a DID/key toolkit, but that is a significant privilege and means the skill will have long-term access to local private keys once installed.
如何使用
  1. 确保已安装 OpenClaw(本地或 Docker 部署)
  2. 在对话框中输入安装命令:/install web3dropper-crypto-price
  3. 安装完成后,直接呼叫该 Skill 的名称或使用 /web3dropper-crypto-price 触发
  4. 根据 Skill 的参数说明提供必要输入,即可获得结构化输出
版本历史
v1.0.0
**Initial release of verified-agent-identity skill.** - Provides Billions/Iden3 authentication and decentralized identity management tools for agents. - Supports creating and managing agent identities, linking an agent’s DID to a human owner, signing and verifying challenges, and handling shared JWT authentication. - Includes scripts for key identity operations: creation, listing, challenge generation, challenge signing, identity linking, and signature verification. - Stores all identity and credential data in `$HOME/.openclaw/billions` for OpenClaw compatibility. - Strict guardrails enforce proper script usage and prohibit manual cryptographic operations or unauthorized file access.
元数据
Slug web3dropper-crypto-price
版本 1.0.0
许可证
累计安装 0
当前安装数 0
历史版本数 1
常见问题

Web3dropper Crypto Price Skill 是什么?

Billions/Iden3 authentication and identity management tools for agents. Link, proof, sign, and verify. 它是一个面向 Claude Code / OpenClaw 的 AI Agent Skill 插件,目前累计下载 334 次。

如何安装 Web3dropper Crypto Price Skill?

在 OpenClaw 或 Claude Code 对话框中运行命令「/install web3dropper-crypto-price」即可一键安装,无需额外配置。

Web3dropper Crypto Price Skill 是免费的吗?

是的,Web3dropper Crypto Price Skill 完全免费(开源免费),可自由下载、安装和使用。

Web3dropper Crypto Price Skill 支持哪些平台?

Web3dropper Crypto Price Skill 跨平台运行,可在任意部署了 OpenClaw / Claude Code 的环境中使用(cross-platform)。

谁开发了 Web3dropper Crypto Price Skill?

由 Web3Dropper(@web3dropper)开发并维护,当前版本 v1.0.0。

推荐 Skills
self-improving agent
Captures learnings, errors, and corrections to enable continuous improvement. Use when: (1) A command or operation fails unexpectedly, (2) User corrects Clau...
⬇ 463283 · by pskoett
Skill Vetter
Security-first skill vetting for AI agents. Use before installing any skill from ClawdHub, GitHub, or other sources. Checks for red flags, permission scope, and suspicious patterns.
⬇ 259410 · by spclaudehome
Polymarket
Query Polymarket prediction markets. Check odds, find trending markets, search events, track price movements.
⬇ 232503 · by joelchance
Self-Improving + Proactive Agent
Self-reflection + Self-criticism + Self-learning + Self-organizing memory. Agent evaluates its own work, catches mistakes, and improves permanently. Use when...
⬇ 200423 · by ivangdavila
Github
Interact with GitHub using the `gh` CLI. Use `gh issue`, `gh pr`, `gh run`, and `gh api` for issues, PRs, CI runs, and advanced queries.
⬇ 191115 · by steipete
ontology
Typed knowledge graph for structured agent memory and composable skills. Use when creating/querying entities (Person, Project, Task, Event, Document), linkin...
⬇ 190156 · by oswalpalash

💬 留言讨论