DeFi Risk Scanner
v1.0.0Web3/DeFi 风险扫描工具。当用户提到"分析 DeFi 协议风险"、"检查 Token 是否是 Rug Pull"、"评估项目安全性"、"查看合约风险"、"DeFi 安全"、"链上风险"、"代币风险评估"、"协议尽调"、"这个项目安全吗"时使用。覆盖主流 EVM 链,提供结构化风险评分、风险因子拆解、关键指...
⭐ 0· 113·0 current·0 all-time
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
OpenClaw
Benign
high confidencePurpose & Capability
The name/description match the behavior: the script fetches protocol or token data from public DeFi APIs and computes scores. Minor mismatch: the registry lists no required binaries, but README/SKILL.md and the script itself require common CLI tools (bash, curl, jq, awk, bc). This is a documentation/inventory inconsistency rather than a functional mismatch.
Instruction Scope
SKILL.md and the script instruct the agent/user to call public APIs and run the included script. The runtime instructions do not tell the agent to read local secrets, other skills' configs, or arbitrary files. All network calls in the script target known public DeFi services (api.llama.fi, api.dexscreener.com); references in docs to other services (Etherscan, Token Sniffer, RugCheck) are expected and not used in a way that requests secrets.
Install Mechanism
No install spec is provided (instruction-only with a shipped script), so nothing is downloaded or executed from external arbitrary URLs during install. The only shipped executable is a local shell script; there is no installer that pulls remote code.
Credentials
The skill declares no required environment variables or credentials, and the script uses public, unauthenticated API endpoints. No secrets (API keys, tokens, passwords) are requested. Docs mention some services that may optionally require keys (e.g., Etherscan), but the skill does not demand them.
Persistence & Privilege
always is false and user-invocable is true. The skill does not request permanent presence, modify other skills, or require elevated agent/system privileges.
Assessment
This skill appears to do what it claims, but check these before installing or running:
- Inspect and run the script locally rather than allowing automatic execution by an agent: it is a Bash script that calls public APIs and computes scores, so executing it locally is straightforward and safer.
- Install required CLI tools: the README and script require bash, curl, jq, awk, and bc. The registry metadata did not declare these dependencies—make sure you have them.
- The script makes outbound network calls to public DeFi APIs (api.llama.fi, api.dexscreener.com, etc.). If you are in a restricted environment, be aware of those network requests.
- No credentials are requested by the skill, and it does not appear to exfiltrate local files or secrets. Never provide private keys, seed phrases, or other sensitive secrets when using the tool (not required for its operation).
- Source/homepage/owner appear minimal; if you need higher assurance, ask the publisher for provenance (GitHub repo, maintainer identity) or run the script in an isolated environment first.
- Remember outputs are informational only and not financial advice (SKILL.md already states this). Do your own research before acting on any recommendations.Like a lobster shell, security has layers — review code before you run it.
latestvk97bvz1bt0sxe3xd8qf85tj17s83nyhw
License
MIT-0
Free to use, modify, and redistribute. No attribution required.