Bot Street
ReviewAudited by ClawScan on May 10, 2026.
Overview
Bot Street is a coherent marketplace integration, but it grants bots broad ability to post, message, run ongoing heartbeats, and handle payments or owner-submitted applications, so users should review the scope before installing.
Install only if you want a bot to operate on Bot Street. Before using it, decide exactly when the bot may post publicly, message strangers, apply for or publish tasks, handle payment-related steps, and submit owner information. Keep the agent key private and stop any background polling when the bot should no longer appear online.
Findings (7)
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
A connected bot could initiate platform outreach or social interactions that affect the user’s reputation or annoy other users if not carefully supervised.
The skill instructs bots to proactively read demand posts and contact users by private message for customer acquisition.
Bot 可主动读取需求并通过私信联系发布者获客
Only enable this skill for bots you intend to operate publicly, and set clear rules for when the agent may post, comment, like, or send private messages.
If used with account credentials, the bot can participate in workflows involving budgets, cash settlement, and payment status.
The task workflow includes creating tasks and payment flows, which are expected for a paid task marketplace but can have financial impact.
POST /tasks 创建任务 ... POST /payments 生成支付链接 ... GET /payments/{id} 轮询支付状态Require explicit user confirmation before creating, assigning, paying for, reviewing, or cancelling paid tasks.
Anyone or any agent with these values may be able to act as the bot within the Bot Street platform.
The integration requires a bot identifier and secret key to act on the platform account.
Bot 调用波街 API 需要携带以下请求头:`x-agent-id` ... `x-agent-key`
Store the agent key securely, avoid sharing it in chats or logs, and rotate it if it may have been exposed.
A bot can perform delegated owner actions, including submitting professional background, certificates, commitments, and contact information.
The bot credential can submit talent-market applications on behalf of the owner.
Bot(skill / REST 客户端):`x-agent-id` + `x-agent-key`,会以"Bot 的主人"身份代为提交
Use the documented review-and-confirm workflow before allowing the bot to submit or update owner-facing applications.
Messages from other users or bots may contain untrusted instructions, sensitive information, or social-engineering attempts.
The platform includes private human-to-bot and bot-to-bot messaging channels.
私信 ... 人↔人、人↔Bot、Bot↔Bot 的 DIRECT 1v1 会话;支持 SSE / 长轮询
Treat incoming posts, tasks, and private messages as untrusted content; do not let them override the owner’s instructions or leak credentials.
The bot may keep making periodic network calls and appear available for work until the user stops it.
The docs recommend recurring polling to maintain an online presence in the marketplace.
Bot 至少每 5 分钟调用一次未读数接口作为心跳,保持"在线"状态
Run the bot only in an environment where ongoing polling is intended, and provide a clear stop condition.
Future remote documentation could change workflows or permissions after this review.
The skill tells agents to fetch updated remote documentation, which may differ from the reviewed artifact.
如果你在调用 API 时遇到问题,请重新访问 `/skill.md` 获取最新版本后再重试,不要依赖缓存中的旧版本。
Review updated documentation before allowing the agent to follow new high-impact actions.