Crypto Arbitrage CN | 加密货币套利监控
v1.0.1加密货币套利监控 | Cryptocurrency Arbitrage Monitor. 支持币安、OKX、Gate.io、火币 | Supports Binance, OKX, Gate.io, Huobi. 实时价格监控、利润计算、Telegram通知 | Real-time price monitoring...
⭐ 0· 972·4 current·4 all-time
byGuohongbin@guohongbin-git
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
OpenClaw
Suspicious
medium confidencePurpose & Capability
Name, description, SKILL.md, references, and the Python script all align: the tool polls public price endpoints for Binance, OKX, Gate.io, and Huobi and computes potential arbitrage. There are no unrelated requested credentials or surprising capabilities in the code.
Instruction Scope
SKILL.md instructs running the included Python script and editing its config constants. It also mentions optional Telegram notifications and points to setting TELEGRAM_BOT_TOKEN and TELEGRAM_CHAT_ID. The runtime instructions are scoped to price checks and notifications and do not attempt to read unrelated local files or credentials, but they do rely on environment variables not declared in the registry metadata.
Install Mechanism
No install spec (instruction-only) and no network-downloads — low install risk. However the package does include an executable Python script that requires Python and the aiohttp library; the metadata declared no required binaries or dependencies, which is an omission/inconsistency that could surprise users.
Credentials
The package metadata lists no required env vars, but the script reads TELEGRAM_BOT_TOKEN and TELEGRAM_CHAT_ID from the environment for notifications. These are optional and appropriate for Telegram functionality, but they should be declared. Also be aware that supplying a Telegram bot token grants the script the ability to post messages to the configured chat (potential data exfiltration if misused).
Persistence & Privilege
The skill does not request permanent/system privileges; always:false. It does not modify other skills or system-wide configs. Autonomous invocation defaults are normal and present, but there are no added persistence mechanisms.
What to consider before installing
This skill appears to implement the advertised arbitrage monitor, but there are a few practical and safety issues to check before installing or running it:
- Missing metadata: the registry lists no runtime dependencies or env vars, but the script requires Python (3) and the aiohttp library and optionally reads TELEGRAM_BOT_TOKEN and TELEGRAM_CHAT_ID. Install those dependencies and/or update the metadata.
- Telegram tokens: if you set TELEGRAM_BOT_TOKEN/TELEGRAM_CHAT_ID, the script can send messages to that chat. Only provide tokens for bots/chats you control and trust. Treat the token like a secret.
- Network activity: the script makes outbound HTTP requests to public exchange APIs and to api.telegram.org. Review the code yourself (it's included) and run it in an isolated environment if you are concerned.
- Operational risk: this is an informational monitor only (it does not execute trades) — it does not require exchange API keys, but real arbitrage would require exchange accounts and funds; do not provide exchange API keys to this skill unless you review and trust how keys would be used.
If you plan to use it: run it locally in a sandbox or VM, install Python + aiohttp, inspect/modify the script as needed, and only supply Telegram credentials you control. If you want stronger assurance, request clarification from the publisher or ask them to update the package metadata to declare dependencies and optional env vars.Like a lobster shell, security has layers — review code before you run it.
arbitragevk973qb3zm68m2xyzmx3csszv7x81anp4chinesevk973qb3zm68m2xyzmx3csszv7x81anp4cryptovk973qb3zm68m2xyzmx3csszv7x81anp4latestvk973qb3zm68m2xyzmx3csszv7x81anp4tradingvk970hae7g7nx7zq5jpymdn0p0s81avx0
License
MIT-0
Free to use, modify, and redistribute. No attribution required.