DeBox Community
Manage DeBox communities, DAOs, and NFT groups. Use when you need to verify group membership, check voting/lottery participation, query group info, or valida...
MIT-0 · Free to use, modify, and redistribute. No attribution required.
⭐ 1 · 22 · 0 current installs · 0 all-time installs
MIT-0
Security Scan
OpenClaw
Suspicious
high confidencePurpose & Capability
The skill's stated purpose (DeBox community queries) matches the code and docs. However the registry metadata declared no required environment variables while SKILL.md and the CLI require DEBOX_API_KEY (and optionally DEBOX_DEFAULT_GROUP). That mismatch is an incoherence and reduces trust.
Instruction Scope
SKILL.md and scripts only describe querying the DeBox API and local files (e.g., wallets.txt for batch-verify). This stays within the stated purpose. Two issues: (1) SKILL.md tells users to place a config.json under ~/.openclaw/workspace/debox-community, but the code reads ../config.json relative to the scripts folder (potential path mismatch). (2) The repository includes a config.json containing an apiKey value — embedding a key in the package contradicts the guidance to set your own API key and may leak a credential.
Install Mechanism
There is no remote install script in the skill bundle (instruction-only install), but package.json lists native image libraries (canvas, sharp). Installing those requires native build steps and pulls optional native binaries via npm; this is expected because the CLI can generate image reports, but it increases installation complexity and attack surface compared to a pure-JS tool.
Credentials
The skill legitimately needs a DeBox API key, but the registry metadata failed to declare it. More importantly, the package includes a config.json with an API key value (cleartext). Shipping a credential inside the skill is disproportionate and risky — if that key is valid it could be abused, rate-limited, or revoked; if it's someone else's key it may indicate sloppy handling or deliberate leaking.
Persistence & Privilege
The skill is not always-enabled and does not request elevated system privileges or modify other skills. It runs as a normal CLI skill and reads local files the user supplies (wallet lists, config).
Scan Findings in Context
[HARD_CODED_API_KEY] unexpected: config.json included in the package contains a cleartext apiKey property ("z75mrVAEC3JAhdB4"). A DeBox API key is required, but embedding a key in the repo is not appropriate and could be a leak or accidental inclusion.
[MISSING_DECLARED_ENV] unexpected: Registry metadata lists no required env vars, but SKILL.md and the code require DEBOX_API_KEY and optionally DEBOX_DEFAULT_GROUP. The missing declaration is an incoherence.
[NATIVE_DEPENDENCIES_SHARP_CANVAS] expected: package.json depends on canvas and sharp, which is consistent with the SKILL.md's image report feature; expected but increases installation surface due to native builds and optional native binaries.
What to consider before installing
This skill implements DeBox API calls and mostly does what its description says, but there are important red flags you should address before installing or using it:
- Do not trust the API key bundled in config.json. Treat it as sensitive: either remove the file or replace the key with your own. If that key looks like a real credential, assume it may be active and consider asking the publisher to confirm or revoke it.
- The registry metadata omitted required env vars; the CLI actually needs DEBOX_API_KEY (set via env or config). Prefer setting DEBOX_API_KEY as an environment variable rather than leaving credentials in a file inside the skill folder.
- The package installs native image libraries (canvas, sharp). These require native toolchains and can execute code during npm install. If you must install, do so in a sandboxed environment or CI runner and review npm install output.
- Confirm the API base (https://open.debox.pro/openapi) and endpoints are the official DeBox developer endpoints. If you have doubts, verify against DeBox's official docs or developer portal.
- The code reads files you provide (e.g., wallets.txt) for batch operations; ensure you do not feed private wallet lists or other sensitive data unless necessary.
If you are not comfortable with the embedded key or the native dependency install steps, do not install the skill. If you proceed, remove the bundled config.json (or replace its apiKey), set DEBOX_API_KEY in your environment, and consider running npm install inside an isolated container. If the included apiKey is a real, untrusted key, ask the publisher to rotate/revoke it.Like a lobster shell, security has layers — review code before you run it.
Current versionv1.0.0
Download ziplatest
License
MIT-0
Free to use, modify, and redistribute. No attribution required.
SKILL.md
DeBox Community Management
Manage DeBox communities, verify membership, and analyze community engagement.
Quick Start
Configuration
Set the DEBOX_API_KEY environment variable:
export DEBOX_API_KEY="your-api-key"
Or add to ~/.openclaw/workspace/debox-community/config.json:
{
"apiKey": "your-api-key",
"defaultGroupId": "optional-default-group-id"
}
Get your API Key from https://developer.debox.pro
Commands
Personal Data Report (推荐)
查看你的 DeBox 个人数据报告:
node scripts/debox-community.js profile --user-id "abc123"
Returns: 昵称、用户ID、钱包地址、等级、点赞数据
如何获取 user_id:
- 打开 DeBox App
- 进入个人主页
- 点击分享,复制链接
- 链接中的 id 参数就是 user_id
Group Info
Query group information:
node scripts/debox-community.js info --url "https://m.debox.pro/group?id=fxi3hqo5"
Returns: group name, member count, description, creator.
Member Verification
Check if a user is in a group:
node scripts/debox-community.js check-member --wallet "0x2267..." --group-url "https://m.debox.pro/group?id=fxi3hqo5"
Returns: boolean membership status.
User Profile
Get user profile information (nickname, avatar, wallet address):
node scripts/debox-community.js user-info --user-id "abc123"
Returns: user_id, nickname, avatar, wallet address.
Note: This API only supports user_id, not wallet address.
Vote Stats
Query user's voting activity in a group:
node scripts/debox-community.js vote-stats --wallet "0x2267..." --group-id "fxi3hqo5"
Returns: vote count, recent votes.
Lottery Stats
Query user's lottery participation:
node scripts/debox-community.js lottery-stats --wallet "0x2267..." --group-id "fxi3hqo5"
Returns: lottery count, win history.
Praise Info
Get user's praise/like data:
node scripts/debox-community.js praise-info --wallet "0x2267..." --chain-id 1
Returns: total likes received, recent praise.
Comprehensive Verification
Verify user eligibility with multiple criteria:
node scripts/debox-community.js verify --wallet "0x2267..." --group-url "..." --min-votes 5 --min-lotteries 1
Returns: pass/fail status with detailed breakdown.
API Reference
See references/api.md for complete API documentation.
Use Cases
DAO Membership Verification
Verify if a user is a DAO member with voting history:
node scripts/debox-community.js verify --wallet "0xabc..." --group-url "https://m.debox.pro/group?id=dao123" --min-votes 1
NFT Community Access
Verify NFT holder is in community group:
node scripts/debox-community.js check-member --wallet "0xabc..." --group-url "https://m.debox.pro/group?id=nft456"
Whitelist Generation
Batch verify multiple wallets:
node scripts/debox-community.js batch-verify --file wallets.txt --group-url "..." --min-votes 3
Error Handling
| Error | Cause | Solution |
|---|---|---|
INVALID_API_KEY | API key missing or invalid | Check configuration |
GROUP_NOT_FOUND | Group ID/URL invalid | Verify group URL format |
USER_NOT_FOUND | Wallet address not registered | Confirm user has DeBox account |
RATE_LIMIT | Too many requests | Wait and retry |
Environment Variables
| Variable | Required | Description |
|---|---|---|
DEBOX_API_KEY | Yes | Your DeBox API key |
DEBOX_DEFAULT_GROUP | No | Default group ID for commands |
Files
8 totalSelect a file
Select a file to preview.
Comments
Loading comments…