← 返回 Skills 市场
667
总下载
0
收藏
2
当前安装
1
版本数
在 OpenClaw 中安装
/install x402-creative-resources
功能描述
Access Xona's x402 creative resource APIs on api.xona-agent.com. Includes creative director (design research), image generation (nano-banana, seedream, grok-...
安全使用建议
This skill will attempt to use a Solana private key (XONA_WALLET_SECRET) to pay for API calls. Before installing: 1) Confirm the manifest is corrected to list required credentials; 2) Do not supply a production/private wallet key as a plaintext env var — prefer platform-managed signing or an ephemeral/test wallet with minimal funds; 3) Audit the npm package @dexterai/x402 (source, reputation, versions) to ensure it doesn't exfiltrate keys; 4) Require explicit user confirmation for any payment calls or restrict the agent from autonomous invocation when wallet access is present; 5) If you cannot verify the endpoint (api.xona-agent.com) and the npm package, avoid giving the skill a wallet secret. If the developer can update the manifest to declare XONA_WALLET_SECRET and explain how signing is done securely (e.g., local signing, no key transmission), re-evaluate; currently the mismatch between declared and actual requirements is the main concern.
功能分析
Type: OpenClaw Skill
Name: x402-creative-resources
Version: 1.0.0
The skill bundle is suspicious due to critical vulnerabilities in `SKILL.md` and `scripts/x402-fetch.js`. The `SKILL.md` instructs the agent to execute shell commands with arguments derived from user input, creating a shell injection risk if the agent does not properly sanitize inputs. More critically, `scripts/x402-fetch.js` allows arbitrary URL access (SSRF) if the `endpoint` argument starts with `http`, bypassing the intended `api.xona-agent.com` domain. This, combined with the script's requirement for the `XONA_WALLET_SECRET` environment variable (a Solana private key), creates a high risk of data exfiltration or unauthorized actions if the agent is compromised via prompt injection.
能力评估
Purpose & Capability
The skill's stated purpose (paid x402 calls for image/video/news/token intelligence) legitimately requires a payment-capable wallet, so needing wallet access is plausible — but the manifest/requirements list claims no env vars or credentials while the included script requires XONA_WALLET_SECRET. This mismatch is a red flag (either the manifest is incomplete or the skill is trying to obtain a raw private key unexpectedly).
Instruction Scope
SKILL.md instructs running scripts in the agent workspace to call api.xona-agent.com and states the agent wallet 'pays automatically', but it does not document the required XONA_WALLET_SECRET environment variable. The runtime script reads this secret and passes it to a third-party client library, which could sign transactions locally or transmit the private key to remote code — the manifest and instructions do not make this behavior explicit.
Install Mechanism
There is no install spec; the repository includes a package.json declaring an npm dependency (@dexterai/x402). That means the code relies on an npm package but the skill does not specify how/when it will be installed. Using an npm client library is reasonable but should be explicitly declared and vetted; missing install instructions reduce transparency.
Credentials
The script requires a highly sensitive env var (XONA_WALLET_SECRET — a Solana private key). Requiring a raw private key is high privilege and should be clearly declared, justified, and handled via secure platform-managed signing rather than a plaintext env var. The manifest currently lists no required credentials, creating an incoherence between declared and actual needs.
Persistence & Privilege
The skill does not request always:true and does not appear to modify other skills or global agent settings. However, autonomous invocation combined with access to a wallet private key increases the blast radius (the agent could autonomously trigger paid calls); the skill does not document user confirmation behavior for payments.
如何使用
- 确保已安装 OpenClaw(本地或 Docker 部署)
- 在对话框中输入安装命令:
/install x402-creative-resources - 安装完成后,直接呼叫该 Skill 的名称或使用
/x402-creative-resources触发 - 根据 Skill 的参数说明提供必要输入,即可获得结构化输出
版本历史
v1.0.0
Initial release of x402-creative-resources.
- Provides API access to Xona's x402 creative tools for design research, image and video generation, X news extraction, and PumpFun token trends.
- Supports multiple image generation models (Designer, Grok Imagine, Qwen, Seedream, Nano Banana, and Pro) with clear usage guidance and pricing.
- Enables creative workflow automation using the provided x402-fetch.js script for all endpoints with automatic micropayment handling.
- Includes step-by-step workflow recommendations for creative assets, news content, and token intelligence.
元数据
常见问题
x402 Creative Resources 是什么?
Access Xona's x402 creative resource APIs on api.xona-agent.com. Includes creative director (design research), image generation (nano-banana, seedream, grok-... 它是一个面向 Claude Code / OpenClaw 的 AI Agent Skill 插件,目前累计下载 667 次。
如何安装 x402 Creative Resources?
在 OpenClaw 或 Claude Code 对话框中运行命令「/install x402-creative-resources」即可一键安装,无需额外配置。
x402 Creative Resources 是免费的吗?
是的,x402 Creative Resources 完全免费(开源免费),可自由下载、安装和使用。
x402 Creative Resources 支持哪些平台?
x402 Creative Resources 跨平台运行,可在任意部署了 OpenClaw / Claude Code 的环境中使用(cross-platform)。
谁开发了 x402 Creative Resources?
由 Xona Labs(@xona-labs)开发并维护,当前版本 v1.0.0。
推荐 Skills