ClawHub
Skill flagged — suspicious patterns detected

ClawHub Security flagged this skill as suspicious. Review the scan results before using.

Crypto Price Pro

查询虚拟币实时价格和历史数据,支持生成趋势图、周报和邮件推送。当用户询问虚拟币价格、加密货币行情、需要币价分析报告或定时推送时使用此技能。

MIT-0 · Free to use, modify, and redistribute. No attribution required.
0 · 33 · 0 current installs · 0 all-time installs
bycscsxx@cscsxx606
MIT-0
Security Scan
VirusTotalVirusTotal
Suspicious
View report →
OpenClawOpenClaw
Suspicious
medium confidence
!
Purpose & Capability
The name/description match the included scripts: both scripts call CoinGecko and generate charts and weekly email reports, so functionality aligns. However the package metadata declares no required environment variables or credentials while the SKILL.md and scripts clearly require EMAIL_SENDER, EMAIL_PASSWORD, EMAIL_RECIPIENT (SMTP) for the email feature. Also the scripts save outputs to a hardcoded path (/Users/admin/.openclaw/workspace), which is specific to a user and not justified by the description.
!
Instruction Scope
SKILL.md instructs users to export SMTP credentials and even to append the SMTP password into ~/.zshrc (persisting plaintext credentials). It also shows adding a cron job that cd's into a hardcoded /Users/admin/.openclaw/workspace path. The runtime instructions therefore direct storing sensitive secrets in shell rc files and scheduling tasks that run from a user-specific path — these broaden scope and create potential risk beyond simple price queries.
Install Mechanism
No install spec (instruction-only with included Python scripts), so nothing is downloaded at install time — this lowers install-time risk. The SKILL.md suggests installing matplotlib (pip3 install matplotlib --break-system-packages --user) which is somewhat unusual (the --break-system-packages flag can be disruptive) but not malicious. Code is plain Python using urllib and smtplib; no obfuscated endpoints.
!
Credentials
The skill requires SMTP-related environment variables (EMAIL_SENDER, EMAIL_PASSWORD, EMAIL_RECIPIENT, optionally EMAIL_SENDER_NAME) to send reports, but the metadata lists no required env vars or primary credential. That mismatch is a security concern: a user may not realize they must provide an email password. The scripts unconditionally use smtp.126.com and write files to a fixed /Users/admin path, which are choices that should be configurable rather than implicit.
Persistence & Privilege
The skill is not marked always:true and does not autonomously modify platform settings. However the instructions include how to add a cron job to run the weekly report from a specific user path — if the user follows these instructions it grants persistent automatic email-sending capability. That persistence is enacted by the user (cron) rather than the skill itself, but the instructions facilitate it.
What to consider before installing
This skill largely does what it claims (fetches CoinGecko data, makes charts, and can email a weekly report), but there are some red flags you should consider before installing or running it: - Metadata omission: The skill metadata does not declare the EMAIL_* environment variables even though the scripts require them. Expect to provide EMAIL_SENDER, EMAIL_PASSWORD, and EMAIL_RECIPIENT at runtime. - Don’t store passwords in shell rc files: The SKILL.md suggests echoing your SMTP password into ~/.zshrc. That leaves your SMTP password in plaintext on disk and in your shell history. Use a secure secrets store, .env files with appropriate file permissions, or environment variables set via your OS keyring/CI secrets instead. - Hardcoded paths and SMTP server: The scripts write outputs to /Users/admin/.openclaw/workspace and use smtp.126.com as the SMTP server. Update paths and SMTP settings to match your environment before running to avoid overwriting files or sending via an unintended mail server. - Cron persistence: The README shows adding a cron entry. Only create scheduled jobs if you trust the code and have reviewed where it writes files and which recipient will receive reports. - Test in a sandbox: Run the scripts locally with non-sensitive test credentials and a test recipient first. Review the code (the included Python is readable) and consider removing the plaintext-password persistence lines and making paths configurable. If you intend to use the email feature, require the author to update the skill metadata to declare required environment variables and to provide configurable path and SMTP settings (avoid hardcoded /Users/admin paths), or edit the scripts yourself before enabling scheduling.

Like a lobster shell, security has layers — review code before you run it.

Current versionv1.0.3
Download zip
bitcoinvk975hgc2p873rgxt1ep1jzttxd83143hcryptovk975hgc2p873rgxt1ep1jzttxd83143hethereumvk975hgc2p873rgxt1ep1jzttxd83143hlatestvk975hgc2p873rgxt1ep1jzttxd83143hprice-trackervk975hgc2p873rgxt1ep1jzttxd83143h

License

MIT-0
Free to use, modify, and redistribute. No attribution required.
Termshttps://spdx.org/licenses/MIT-0.html

SKILL.md

Crypto Price

查询主流虚拟币实时价格、历史数据,生成趋势图和周报。

功能特性

  • ✅ 实时价格查询(支持 10+ 主流币种)
  • ✅ 历史数据查询(1-365 天)
  • ✅ 单币种趋势图生成
  • ✅ 多币种对比图生成
  • ✅ 7 天周报自动生成
  • ✅ 邮件定时推送

使用方法

1. 查询当前价格

python3 skills/crypto-price/scripts/crypto_price.py <币种代码>

示例:

python3 skills/crypto-price/scripts/crypto_price.py BTC
python3 skills/crypto-price/scripts/crypto_price.py ETH

2. 查询历史价格

python3 skills/crypto-price/scripts/crypto_price.py <币种代码> --history <天数>

示例:

python3 skills/crypto-price/scripts/crypto_price.py BTC --history 3
python3 skills/crypto-price/scripts/crypto_price.py ETH --history 7

3. 生成单币种趋势图

python3 skills/crypto-price/scripts/crypto_price.py <币种代码> --chart <天数>

示例:

python3 skills/crypto-price/scripts/crypto_price.py BTC --chart 3
python3 skills/crypto-price/scripts/crypto_price.py ETH --chart 7

4. 生成多币种对比图

python3 skills/crypto-price/scripts/crypto_price.py BTC --compare <币种 1,币种 2,...> <天数>

示例:

python3 skills/crypto-price/scripts/crypto_price.py BTC --compare BTC,ETH,SOL 3
python3 skills/crypto-price/scripts/crypto_price.py BTC --compare BTC,ETH,BNB,SOL,DOGE 7

5. 生成周报并发送邮件

# 配置环境变量(首次使用)
export EMAIL_SENDER="your_email@126.com"
export EMAIL_SENDER_NAME="Your Name"
export EMAIL_PASSWORD="your_smtp_password"
export EMAIL_RECIPIENT="recipient@example.com"

# 生成并发送周报
python3 skills/crypto-price/scripts/crypto_weekly_report.py

永久配置(添加到 ~/.zshrc):

echo 'export EMAIL_SENDER="your_email@126.com"' >> ~/.zshrc
echo 'export EMAIL_SENDER_NAME="Your Name"' >> ~/.zshrc
echo 'export EMAIL_PASSWORD="your_smtp_password"' >> ~/.zshrc
echo 'export EMAIL_RECIPIENT="recipient@example.com"' >> ~/.zshrc
source ~/.zshrc

⚠️ 安全提示:

  • 不要将邮箱密码提交到 Git
  • 使用 .env 文件或环境变量存储敏感信息
  • 定期更换 SMTP 授权码

支持的币种

代码币种代码币种
BTC比特币SOLSolana
ETH以太坊XRP瑞波币
USDT泰达币ADA艾达币
BNB币安币DOGE狗狗币
DOT波卡币MATICPolygon

输出示例

当前价格

📊 BTC 价格信息
========================================
💵 美元价格: $73,246.00
💴 人民币价格: ¥505,100.00
📈 24h 涨跌: +1.97%
🏦 市值: $1.46T
========================================

历史价格

📈 BTC 3 天历史价格
========================================
  03-14: $70,965.28
  03-15: $71,217.10
  03-16: $72,681.91
========================================

定时任务配置

每天上午 10 点发送周报

# 添加到 crontab
0 10 * * * cd /Users/admin/.openclaw/workspace && python3 skills/crypto-price/scripts/crypto_weekly_report.py

或使用 OpenClaw cron:

openclaw cron add --schedule "0 10 * * *" --command "python3 skills/crypto-price/scripts/crypto_weekly_report.py"

注意事项

  1. API 限制: CoinGecko 免费 API 有速率限制(10-50 次/分钟)
  2. 数据延迟: 价格数据延迟约 1-5 分钟
  3. matplotlib: 生成图表需要安装 matplotlib
  4. 邮箱配置: 邮件发送需要配置 126 邮箱 SMTP

依赖安装

# 安装 matplotlib(图表生成)
pip3 install matplotlib --break-system-packages --user

# 或
brew install python-matplotlib

文件结构

crypto-price/
├── SKILL.md
└── scripts/
    ├── crypto_price.py           # 主脚本(价格查询、图表生成)
    └── crypto_weekly_report.py   # 周报生成和邮件发送

数据来源

Files

3 total
Select a file
Select a file to preview.

Comments

Loading comments…