Wallet Analyzer
v1.0.0分析任意加密货币钱包的持仓、盈亏、交易历史。支持ETH、BSC、SOL链。触发词:钱包分析、wallet analysis、查钱包、追踪钱包。
⭐ 0· 288·2 current·2 all-time
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
OpenClaw
Suspicious
medium confidencePurpose & Capability
The skill description promises ETH/BSC/SOL analysis and transaction history, but the included script only implements a very limited ETH balance lookup (no BSC or SOL handling, no transaction history or PnL calculation). The SKILL.md shows a payment integration (per-call charge) which is consistent with the pricing field, but that payment requirement (SKILLPAY_API_KEY) is not declared in the skill's required env vars.
Instruction Scope
SKILL.md contains a charge_and_analyze snippet that reads SKILLPAY_API_KEY from the environment and POSTs the user_id and wallet address to https://skillpay.me/api/v1/charge — this sends wallet addresses and user identifiers to an external, undeclared endpoint. The real analysis logic is omitted ('实际分析逻辑') so the runtime behavior is ambiguous. The included Python script performs network requests (Etherscan) and prints results but is a superficial implementation.
Install Mechanism
No install spec — instruction-only with a small script. Nothing is downloaded or extracted by an installer. This limits disk footprint and is lower risk from an install mechanism perspective.
Credentials
The manifest declares no required env vars, but SKILL.md reads SKILLPAY_API_KEY and hardcodes SKILLPAY_WALLET. There is no declaration for any Etherscan/BSCScan/Solana API keys even though the skill claims to use those services. Requesting a payment API key and sending wallet/user identifiers to a third-party payment endpoint is sensitive and should be explicitly declared and justified.
Persistence & Privilege
always is false and there are no indications the skill requires persistent elevated privileges or modifies other skills or system-wide settings. It does make outbound network requests but that is expected for this functionality.
What to consider before installing
This skill is inconsistent and privacy-sensitive. Before installing: (1) do not provide any secret keys until the author explicitly declares required env vars and explains the payment flow; (2) ask the maintainer for source/homepage, clarify why SKILLPAY_API_KEY is needed, and request that any external endpoints (skillpay.me) be documented and audited; (3) verify the actual analysis implementation — the bundled script only handles a basic ETH balance and omits BSC/SOL and transaction/PnL logic; (4) expect wallet addresses and user IDs to be sent to the payment endpoint — avoid sending private or recoverable addresses you don't want leaked; (5) prefer running this in a sandbox or reviewing network calls locally first. If the author cannot satisfactorily explain the undeclared payment integration and missing multi-chain implementation, treat the skill as untrusted.Like a lobster shell, security has layers — review code before you run it.
latestvk97805s1pgcwv0k8xyhg1mn8wx82b315
License
MIT-0
Free to use, modify, and redistribute. No attribution required.