ClawHub

Neo Market

v1.0.2

Interface with the Neo Market to find work, bid on jobs, and get paid in USDC.

0· 588·3 current·3 all-time
by@wangwu-30
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
VirusTotalVirusTotal
Benign
View report →
OpenClawOpenClaw
Benign
high confidence
Purpose & Capability
The skill is a CLI for interacting with an on‑chain marketplace; requiring a private key and RPC URL is consistent with that purpose. Minor inconsistency: the registry metadata lists no required env vars, but SKILL.md and cli.ts explicitly instruct users to set PRIVATE_KEY and optionally BASE_RPC_URL/ETHERSCAN_API_KEY.
Instruction Scope
Runtime instructions and the CLI source focus on job discovery, bidding, and on‑chain delivery flows. The CLI signs EIP‑712 receipts and sends transactions to an RPC. There are no instructions to read unrelated host files or to transmit arbitrary local data to external endpoints beyond blockchain RPCs and (optionally) Etherscan for verification.
Install Mechanism
There is no registry install spec, but SKILL.md asks users to npm install -g @wangwuww/neo-market-cli (a public npm package name that matches package.json). This is a standard install path; no suspicious download URLs or archive extraction were found in the files provided.
Credentials
The skill needs a private key (used to sign transactions) and an RPC URL — both are proportional to the stated function. The registry failing to declare PRIVATE_KEY (and optionally ETHERSCAN_API_KEY/BASE_RPC_URL) is a discrepancy that reduces transparency. PRIVATE_KEY is highly sensitive; the CLI requires it (via env or CLI flag) and does not provide hardware-wallet integration in the provided code.
Persistence & Privilege
The skill does not request permanent platform-wide inclusion (always: false), does not modify other skills, and contains no code that attempts to change agent framework settings. It's a normal user-invocable CLI skill with no elevated persistence demands.
Assessment
This appears to be a coherent on‑chain marketplace CLI, but take care before installing and running it with real funds. Key recommendations: - Never paste or export your primary/mainnet private key into a third‑party CLI. Use a throwaway/hot key with minimal ETH/USDC for initial testing. - Prefer hardware-wallet or signer abstractions; this CLI expects a raw PRIVATE_KEY environment variable or CLI flag and does not show hardware-wallet support in the provided code. - Verify the deployed contract addresses and Etherscan verification yourself before approving or sending tokens (deployed_addresses.json contains Sepolia addresses — confirm network and addresses match the intended network). - Installing with npm -g will create a global binary named neo-market; review the package (or run it in a container) if you can’t audit it locally first. - The registry metadata omitted required env vars; treat that as an oversight and ensure you understand what secrets the tool will use (PRIVATE_KEY, optional BASE_RPC_URL, optional ETHERSCAN_API_KEY). - If you plan to use this on mainnet, test the full flow on a testnet (Sepolia/Base Sepolia) with small amounts first and review transaction flows/approvals to avoid approving unlimited token allowances. If you want, I can point out the exact lines in cli.ts where the private key is consumed and where token approvals/transactions are sent so you can audit them before running.

Like a lobster shell, security has layers — review code before you run it.

latestvk9790q8963zf601wq0yn94gbh98183wk

License

MIT-0
Free to use, modify, and redistribute. No attribution required.
Termshttps://spdx.org/licenses/MIT-0.html

Runtime requirements

🦞 Clawdis
Binsneo-market, npx

Comments