加密货币与贵金属监控
v1.2.1加密货币与贵金属价格监控 / Crypto & Precious Metals Price Monitor - 监控BTC/ETH实时价格、黄金(XAU)/白银(XAG)走势,免费API无需Key
⭐ 7· 4.7k·17 current·17 all-time
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
OpenClaw
Benign
high confidencePurpose & Capability
The name/description, SKILL.md, and the script all align: the tool fetches crypto and metals prices from public APIs and displays alerts/comparisons. One mismatch: the registry metadata declares no required binaries, but the included script depends on external commands (curl, python3, bc, stat, date). That is a usability/accuracy omission rather than evidence of malice.
Instruction Scope
SKILL.md describes running the provided crypto-monitor commands and lists the data sources. The runtime instructions and the script stay within the stated purpose: they perform GET requests to price APIs, compute changes, cache results, and print alerts. There are no instructions to read unrelated system files or to transmit local data to arbitrary endpoints.
Install Mechanism
There is no install spec (instruction-only plus an included script). Nothing is downloaded or executed from third-party URLs during installation. The script does make outbound HTTP requests at runtime to well-known financial endpoints (CoinGecko, exchangerate-api, goldapi.io, Yahoo Finance).
Credentials
The skill requests no environment variables or credentials and uses a demo token header for GoldAPI. The network access and lack of secrets are proportionate to the stated purpose. No unrelated credentials or config paths are requested or accessed.
Persistence & Privilege
The skill does not request persistent or elevated privileges. It only writes cache/history files under /tmp/crypto-monitor and does not modify system-wide settings or other skills. always:false (default) and autonomous invocation remain as usual.
Assessment
This skill appears to do what it says: it fetches prices from CoinGecko, GoldAPI, Yahoo Finance, and exchangerate-api and caches results under /tmp/crypto-monitor. Before installing: (1) be aware it makes outbound HTTP requests to those public endpoints (no secrets are sent). (2) Ensure your environment has curl, python3, and bc (the metadata omitted these dependencies). (3) The script uses a demo GoldAPI token and may hit rate limits — no API keys are required but functionality may be degraded. (4) If you are installing on a shared or restricted system, run it in a sandbox or review the script yourself; it only writes to /tmp and does not appear to exfiltrate local files or access unrelated credentials.Like a lobster shell, security has layers — review code before you run it.
latestvk9708fseehdke77g091nfzwwk18073a9
License
MIT-0
Free to use, modify, and redistribute. No attribution required.