Sui Secure - Pre-simulate transactions via sui client call --dry-run and sui client ptb --dry-run, compare results against user intent to detect malicious contract behavior. Only execute if intent matches; block otherwise.
数据来源:ClawHub。 在 ClawSkills 查看
选择你使用的 Agent
方法一:命令行安装(推荐)
推荐(无需提前安装 clawhub)
npx clawhub@latest --dir ~/.claude/skills install suisec或使用 clawhub CLI(需提前安装)
clawhub --dir ~/.claude/skills install suisec⚠️ 需要 Node.js 18+,没有 Node?请使用下方方法二直接下载 ZIP。 安装 Node.js →
方法二:手动下载安装(无需 Node)
下载 ZIP,解压后将文件夹放到以下路径,重启 Agent 即可:
安装路径
~/.claude/skills/suisec/💡解压后将文件夹放到上方路径,重启 Agent 即可生效
--- name: suisec description: "Sui Secure - Pre-simulate transactions via sui client call --dry-run and sui client ptb --dry-run, compare results against user intent to detect malicious contract behavior. Only execute if intent matches; block otherwise." user-invocable: true metadata: {"openclaw":{"emoji":"🛡️","requires":{"bins":["sui","python3"]},"install":[{"kind":"brew","bins":["sui"]}]}} ---
You are a security gatekeeper for Sui on-chain transactions. When a user wants to execute sui client call or sui client ptb, you must dry-run first, compare against intent, then decide whether to allow real execution.
This is a mandatory pre-check for all Sui PTB transactions.
For sui client ptb commands, run the automated auditor before anything else:
python3 main.py <INTENDED_SUI_COST> '<FULL_SUI_COMMAND>'Example:
python3 main.py 0.01 'sui client ptb --move-call 0xPKG::module::function @0xCOIN @0xNFT --gas-budget 20000000'SuiSec will automatically:
--dry-run and --json flags into the command| Output Contains | Exit Code | Action | |-----------------|-----------|--------| | SAFE TO SIGN | 0 | Proceed to sign and execute the transaction. | | BLOCKING MALICIOUS TRANSACTION | 1 | BLOCK the process. Display the threat table to the user. Do NOT execute. Wait for explicit human override. |
Critical rule: If main.py exits with code 1, you MUST NOT proceed with the transaction under any circumstances unless the user explicitly acknowledges each threat and provides a clear override instruction.
Ask the user to clearly state the intent of the transaction, for example:
Break down the intent into verifiable items: | Intent Item | User Expectation | |-------------|-----------------| | Target function | e.g. package::module::transfer | | Asset flow | e.g. send 10 SUI to 0xABC | | Object changes | e.g. only mutate own Coin object | | Estimated gas | e.g. < 0.01 SUI |
For sui client ptb commands (primary path):
python3 main.py <INTENDED_SUI> '<FULL_SUI_PTB_COMMAND>'For sui client call commands (manual path — main.py does not yet support sui client call):
sui client call --dry-run \
--package <PACKAGE_ID> \
--module <MODULE> \
--function <FUNCTION> \
--args <ARGS> \
--gas-budget <BUDGET>For sui client call, perform the intent comparison manually using Step 3 below.
If the automated audit is not available (e.g. sui client call), compare dry-run results against user intent item by item:
| Check Item | Comparison Logic | Result | |-----------|-----------------|--------| | Asset flow | Do balance changes match expected transfer amount and direction? | MATCH / MISMATCH | | Recipient address | Do assets flow to the user-specified address, not unknown addresses? | MATCH / MISMATCH | | Object changes | Are there unexpected objects being mutated / deleted / wrapped? | MATCH / MISMATCH | | Call target | Does the actual package::module::function match the intent? | MATCH / MISMATCH | | Gas consumption | Is gas within reasonable range (no more than 5x expected)? | MATCH / MISMATCH | | Extra events | Are there events not mentioned in the intent (e.g. extra transfer, approve)? | MATCH / MISMATCH |
SAFE TO SIGN (all checks pass) → Approve execution
--dry-run flag and execute the real transaction: ```bash sui client ptb
BLOCKING (any check fails) → Block execution
``` 🛑 SuiSec BLOCKING MALICIOUS TRANSACTION
Threats detected: - [PRICE_MISMATCH] Hidden drain: 0x...deadbeef received 0.1000 SUI - [HIJACK] Object 0x7ebf... (UserProfile) diverted to 0x...deadbeef
❌ DO NOT SIGN — This transaction will steal your assets. ```
| Threat | Detection Method | |--------|-----------------| | PRICE_MISMATCH | More than one non-system address receives SUI. The largest recipient is the presumed payee; additional recipients are flagged as hidden drains. | | HIJACK | Any object ends up owned by an address that is neither the sender nor the expected payment recipient. |
sui client call or advanced review)Pay special attention to these malicious behaviors during dry-run comparison:
--dry-run, use SuiSec to simulate first.main.py exit code is authoritative: 0 = safe, 1 = blocked.安装 Sui Sec 后,可以对 AI 说这些话来触发它
Help me get started with Sui Sec
Explains what Sui Sec does, walks through the setup, and runs a quick demo based on your current project
Use Sui Sec to sui Secure - Pre-simulate transactions via sui client call --dry-ru...
Invokes Sui Sec with the right parameters and returns the result directly in the conversation
What can I do with Sui Sec in my finance & investment workflow?
Lists the top use cases for Sui Sec, with example commands for each scenario
将技能文件夹放到 ~/.claude/skills/suisec/ 目录(个人级,所有项目可用),或 .claude/skills/suisec/(项目级)。重启 AI 客户端后,用 /suisec 主动调用,或让 AI 根据上下文自动发现并使用。
Sui Sec 支持 Claude、Cursor、OpenClaw,可与这些 AI 平台无缝集成,扩展其能力。
Sui Sec 可免费安装使用。请查阅仓库了解许可证信息。
Sui Secure - Pre-simulate transactions via sui client call --dry-run and sui client ptb --dry-run, compare results against user intent to detect malicious contract behavior. Only execute if intent matches; block otherwise.
Sui Sec 属于「Finance & Investment」分类,该分类的技能帮助 AI 智能体在此领域执行专业任务。
Automate my finance & investment tasks using Sui Sec
Identifies repetitive steps in your workflow and sets up Sui Sec to handle them automatically