← 返回 Skills 市场
rink1969

web5 cli

作者 rink1969 · GitHub ↗ · v0.1.2
cross-platform ⚠ suspicious
420
总下载
0
收藏
0
当前安装
2
版本数
在 OpenClaw 中安装
/install web5-cli
功能描述
Use when working with Web5 CLI tool for decentralized identity, CKB wallet, DID management, PDS data operations, account creation, posting, profile updates
安全使用建议
What to consider before installing/running: 1) Source trust: the skill has no homepage and the registry owner is unknown — verify the npm 'web5-cli' package author and checksum before installing. 2) Sensitive files: the scripts and CLI will access and may write sensitive keys and tokens in ~/.web5-cli (signkey, ckb-sk, account.json). Back up and protect these files; consider running the workflow in a sandbox. 3) Prompt-injection: SKILL.md contains a detected base64-like block — inspect the full SKILL.md for any encoded text or hidden instructions and remove/clean them. 4) Run audit: review the included Python scripts yourself (they mostly call web5-cli and parse JSON; note minor bugs referencing undefined variables in error paths). 5) Least privilege: do not run as a privileged user; limit network exposure and validate the PDS host you pass to commands. If you are unsure about the package provenance or the encoded content, do not install or run these scripts.
功能分析
Type: OpenClaw Skill Name: web5-cli Version: 0.1.2 The skill is classified as suspicious primarily due to the explicit plaintext storage of private keys for both DID signing and CKB wallet operations, as detailed in the `SKILL.md` file (`~/.web5-cli/signkey`, `~/.web5-cli/ckb-sk`). While the `SKILL.md` explicitly states this is a 'technical validation tool' and 'Do NOT use in production environments', operating with plaintext private keys is a critical vulnerability. The Python scripts (`scripts/create_account.py`, `scripts/destroy_account.py`) use `subprocess.run` to execute `web5-cli` commands, performing sensitive operations like creating/destroying accounts, sending transactions, and managing PDS data, all within this insecure key management context. Although the scripts themselves use `subprocess.run` with argument lists (mitigating direct shell injection from the script's own code), the overall reliance on a tool that stores keys in plaintext makes the entire skill bundle high-risk.
能力评估
Purpose & Capability
The name/description and provided Python scripts align with a Web5 CLI account lifecycle helper (create/destroy account, PDS interactions). However the skill metadata declares no required binaries or credentials even though SKILL.md and the scripts assume the 'web5-cli' binary is installed (SKILL.md suggests `npm install -g web5-cli`). That mismatch is sloppy and should be resolved by the author.
Instruction Scope
The runtime instructions and included scripts instruct the agent to run many web5-cli commands that access local keystore and wallet files (~/.web5-cli/signkey, ~/.web5-cli/ckb-sk) and to write ~/.web5-cli/account.json (stores username, DID, didkey, address, PDS domain and potentially tokens). The SKILL.md had a pre-scan 'base64-block' prompt-injection signal — an instruction-only doc embedding encoded or injected content can attempt to manipulate agents. While the scripts do not show explicit exfiltration, the combination of embedded prompt-injection patterns and operations that handle private keys is a material concern.
Install Mechanism
There is no install spec for the skill itself (instruction-only), which is low-risk. The README tells users to install 'web5-cli' via npm; that is normal for this functionality. The skill does not contain an automated download/execute install step that would fetch arbitrary code.
Credentials
The skill declares no required environment variables or credentials, but uses CKB_NETWORK (optional) and accesses local key/wallet files via web5-cli. Access to private keystore and wallet files is expected for a wallet/DID manager, but because secrets and tokens may be written to ~/.web5-cli/account.json, the skill should explicitly document and justify this sensitive access. The lack of declared required binaries/credentials is an omission.
Persistence & Privilege
The skill is not marked always:true and does not request system-wide privileges. It writes and reads files under ~/.web5-cli and creates temporary files, which is within scope for an account management tool. Autonomous invocation is allowed (platform default) but not combined here with an always:true or other high-privilege requests.
如何使用
  1. 确保已安装 OpenClaw(本地或 Docker 部署)
  2. 在对话框中输入安装命令:/install web5-cli
  3. 安装完成后,直接呼叫该 Skill 的名称或使用 /web5-cli 触发
  4. 根据 Skill 的参数说明提供必要输入,即可获得结构化输出
版本历史
v0.1.2
- Added sample workflow scripts: create_account.py and destroy_account.py for automated account management. - Updated documentation to include multi-step workflows for account creation, destruction, profile update, and posting. - Introduced persistent account info storage at ~/.web5-cli/account.json after account creation. - Clarified CLI usage notes, including parameter conventions and safe key management. - Improved overall guidance for automated and script-based usage with Web5 CLI.
v0.1.0
- Initial release of web5-cli, a command-line tool for Web5 decentralized identity and data management. - Supports key management (signing, import, signing, verification), CKB wallet operations (create, import, balance checks, send/check transactions), and DID lifecycle on CKB. - Provides PDS (Personal Data Store) interactions, including account management, login, data writing, and export/import. - All commands output results in JSON format for integration and automation. - Security: stores private keys in plaintext for testing—do not use in production. - Includes sample data structures and workflow examples for user profiles, posts, comments, likes, and DAO proposals/interactions.
元数据
Slug web5-cli
版本 0.1.2
许可证
累计安装 0
当前安装数 0
历史版本数 2
常见问题

web5 cli 是什么?

Use when working with Web5 CLI tool for decentralized identity, CKB wallet, DID management, PDS data operations, account creation, posting, profile updates. 它是一个面向 Claude Code / OpenClaw 的 AI Agent Skill 插件,目前累计下载 420 次。

如何安装 web5 cli?

在 OpenClaw 或 Claude Code 对话框中运行命令「/install web5-cli」即可一键安装,无需额外配置。

web5 cli 是免费的吗?

是的,web5 cli 完全免费(开源免费),可自由下载、安装和使用。

web5 cli 支持哪些平台?

web5 cli 跨平台运行,可在任意部署了 OpenClaw / Claude Code 的环境中使用(cross-platform)。

谁开发了 web5 cli?

由 rink1969(@rink1969)开发并维护,当前版本 v0.1.2。

推荐 Skills
self-improving agent
Captures learnings, errors, and corrections to enable continuous improvement. Use when: (1) A command or operation fails unexpectedly, (2) User corrects Clau...
⬇ 463283 · by pskoett
Skill Vetter
Security-first skill vetting for AI agents. Use before installing any skill from ClawdHub, GitHub, or other sources. Checks for red flags, permission scope, and suspicious patterns.
⬇ 259410 · by spclaudehome
Polymarket
Query Polymarket prediction markets. Check odds, find trending markets, search events, track price movements.
⬇ 232503 · by joelchance
Self-Improving + Proactive Agent
Self-reflection + Self-criticism + Self-learning + Self-organizing memory. Agent evaluates its own work, catches mistakes, and improves permanently. Use when...
⬇ 200423 · by ivangdavila
Github
Interact with GitHub using the `gh` CLI. Use `gh issue`, `gh pr`, `gh run`, and `gh api` for issues, PRs, CI runs, and advanced queries.
⬇ 191113 · by steipete
ontology
Typed knowledge graph for structured agent memory and composable skills. Use when creating/querying entities (Person, Project, Task, Event, Document), linkin...
⬇ 190156 · by oswalpalash

💬 留言讨论