← 返回 Skills 市场

xpr-xmd

Name: xpr-xmd
Author: paulgnz

作者 paulgnz · GitHub ↗ · v0.2.11

cross-platform ⚠ suspicious

772

总下载

当前安装

版本数

在 OpenClaw 中安装

/install xmd

功能描述

Interact with Metal Dollar (XMD) stablecoin to mint, redeem, check supply, collateral reserves, and oracle prices with zero fees and multi-collateral support.

安全使用建议

This skill provides read-only analytics and also supports mint/redeem operations that require signing with your XPR private key. Before installing or enabling write actions: 1) Treat XPR_PRIVATE_KEY as extremely sensitive — only supply it if you fully trust the skill and its author. 2) Ask the maintainer to update skill.json and SKILL.md to explicitly list required env vars (XPR_PRIVATE_KEY, XPR_ACCOUNT, XPR_PERMISSION) and describe when they are used. 3) If you only need read-only data, avoid supplying any private key and use the read tools; consider running the included test-read.mjs in an isolated environment to verify read-only behavior. 4) Prefer using a separate account or a key with limited permissions (if possible) for signing, and review the code locally to confirm there are no unexpected network endpoints or exfiltration logic. 5) If you cannot confirm the origin/trustworthiness of the owner (owner id: kn7fkc3h30sk93cx039q57pqj5812pkc, source unknown), avoid providing credentials and treat the skill as untrusted for write operations.

功能分析

Type: OpenClaw Skill Name: xmd Version: 0.2.11 The skill is classified as suspicious due to a critical discrepancy in its manifest. While the `src/index.ts` code explicitly requires `process.env.XPR_PRIVATE_KEY` and `process.env.XPR_ACCOUNT` for its 'write' operations (`xmd_mint`, `xmd_redeem`), the `skill.json` file declares `"requires": { "env": [] }`. This omission in `skill.json` represents a vulnerability, as it misinforms an agent operator about the sensitive environment variables the skill will attempt to access, potentially leading to accidental exposure or misconfiguration. The code itself performs legitimate blockchain interactions with hardcoded, known contract addresses and does not exhibit other malicious behaviors like data exfiltration to unauthorized endpoints, arbitrary code execution, or persistence mechanisms.

能力评估

⚠ Purpose & Capability

The skill implements read-only RPC helpers and write tools that sign transactions using a user's XPR private key — this capability matches the described mint/redeem functionality. However, the skill.json manifest declares no required env vars (requires.env is empty) while src/index.ts clearly expects XPR_PRIVATE_KEY, XPR_ACCOUNT, and XPR_PERMISSION. The absence of declared credentials in the manifest is inconsistent and surprising for users.

⚠ Instruction Scope

SKILL.md documents read-only tools and notes that write tools require confirmation, but it does not document the need to provide a private key/account via environment variables. The code reads process.env.XPR_PRIVATE_KEY and process.env.XPR_ACCOUNT directly for signing; this access to sensitive secrets is not described in the runtime instructions, which is scope mismatch and a user-notice problem.

ℹ Install Mechanism

There is no install spec (instruction-only), which reduces install risk. The runtime code dynamically imports '@proton/js' for signing — a legitimate dependency for EOS/Proton-style transaction signing — but no dependency/install information is declared in the manifest. This may cause runtime failures or hidden dependency pulls if the environment attempts to install packages automatically.

⚠ Credentials

The code requires highly sensitive environment variables (XPR_PRIVATE_KEY and XPR_ACCOUNT) for write operations. That is proportionate to the claimed write capability (signing on-chain), but the skill fails to declare these requirements in skill.json and SKILL.md. Not declaring sensitive credentials is a serious transparency issue: a user could unintentionally provide a key without realizing which skill will use it, or fail to realize the risk of granting signing capability.

✓ Persistence & Privilege

The skill is not force-included (always: false) and does not attempt to modify other skills or system-wide settings. Autonomous invocation is enabled by default (disable-model-invocation: false) but this is normal; no elevated permanence or cross-skill modifications are present.

如何使用

确保已安装 OpenClaw（本地或 Docker 部署）
在对话框中输入安装命令：/install xmd
安装完成后，直接呼叫该 Skill 的名称或使用 /xmd 触发
根据 Skill 的参数说明提供必要输入，即可获得结构化输出

版本历史

v0.2.11

xmd 0.2.11 - Added detailed SKILL.md documentation for Metal Dollar (XMD) stablecoin. - Clarified minting and redemption processes, including memos and supported collateral. - Listed all supported collateral types with respective parameters. - Described associated contracts and read/write tool functions. - Included current safety rules and operational checks for users.

元数据

Slug xmd

版本 0.2.11

许可证 —

累计安装 1

当前安装数 1

历史版本数 1

常见问题

xpr-xmd 是什么？

Interact with Metal Dollar (XMD) stablecoin to mint, redeem, check supply, collateral reserves, and oracle prices with zero fees and multi-collateral support. 它是一个面向 Claude Code / OpenClaw 的 AI Agent Skill 插件，目前累计下载 772 次。

如何安装 xpr-xmd？

在 OpenClaw 或 Claude Code 对话框中运行命令「/install xmd」即可一键安装，无需额外配置。

xpr-xmd 是免费的吗？

是的，xpr-xmd 完全免费（开源免费），可自由下载、安装和使用。

xpr-xmd 支持哪些平台？

xpr-xmd 跨平台运行，可在任意部署了 OpenClaw / Claude Code 的环境中使用（cross-platform）。

谁开发了 xpr-xmd？

由 paulgnz（@paulgnz）开发并维护，当前版本 v0.2.11。