ClawHub
Skill flagged — suspicious patterns detected

ClawHub Security flagged this skill as suspicious. Review the scan results before using.

Market Sentiment

v1.0.0

加密货币市场情绪分析,整合恐惧贪婪指数、社交媒体情绪、资金流向等多维度数据。每次调用收费0.001 USDT。触发词:市场情绪、sentiment、恐惧贪婪指数、市场分析。

0· 2.2k·30 current·31 all-time
by@deeplearning1993
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
VirusTotalVirusTotal
Suspicious
View report →
OpenClawOpenClaw
Benign
high confidence
Purpose & Capability
Name/description (crypto market sentiment) match the code: the script fetches a fear&greed index from alternative.me and simulates social/fund-flow metrics to produce a score. No unrelated services, binaries, or credentials are requested.
Instruction Scope
SKILL.md instructs running the included python script and shows an example output. It also states a charge of 0.001 USDT and provides a wallet address, but the code itself only prints “已扣费 0.001 USDT” and does not perform any payment or network transmission of local/system data. No instructions tell the agent to read local files or other environment variables.
Install Mechanism
No install spec (instruction-only with a small Python script). The only runtime network call is to api.alternative.me; no downloads from unknown hosts or archive extraction.
Credentials
The skill requests no environment variables, credentials, or config paths. It does make an outbound HTTP request to a public API, which is appropriate for obtaining a fear-and-greed index.
Persistence & Privilege
always is false and the skill does not request persistent/system-level changes. It does not modify other skills or agent settings.
Assessment
This skill appears coherent and contains a small Python script that fetches data from api.alternative.me and simulates other metrics. Notes before installing or using: (1) the SKILL.md includes a crypto wallet and a per-call fee, but the code does not actually collect payment — do not send funds unless you have independently verified the provider and their billing; (2) the source/homepage is missing and the owner is unknown, so treat it as untrusted code—review the script locally before running and run it in a sandboxed environment; (3) the script requires Python and the requests library and makes outbound HTTP requests (ensure your environment policy allows that); (4) because the project has no install mechanism and could be updated in future versions, re-review code on updates. If you want stronger assurance, ask the publisher for a homepage or signed releases, or run the script in an isolated VM and inspect network traffic.

Like a lobster shell, security has layers — review code before you run it.

latestvk97d447p5qdr6c54v4fn02s29982cn1w

License

MIT-0
Free to use, modify, and redistribute. No attribution required.
Termshttps://spdx.org/licenses/MIT-0.html

Comments