ClawHub

Bitget Poolx Monitor

v1.1.0

Monitor Bitget PoolX for new staking projects using r.jina.ai to bypass Cloudflare. Detect ETH, BTC, SOL and other pool launches.

0· 267·2 current·2 all-time
by@itonlyforfun-ai
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
VirusTotalVirusTotal
Benign
View report →
OpenClawOpenClaw
Suspicious
high confidence
!
Purpose & Capability
SKILL.md and main examples use r.jina.ai to fetch Bitget PoolX (consistent). However the repo also contains bitget-final.py which uses Playwright and stealth tricks to fetch the same site; this contradicts the README claim 'no Playwright needed' and introduces a heavy dependency not declared in metadata.
!
Instruction Scope
SKILL.md only instructs lightweight HTTP fetches to r.jina.ai/bitget.com and shows a simple requests example. The included Python files, however, perform additional network operations (calls to skillpay.me) and a headful/headless browser flow that may load different content. The instructions do not document these extra behaviors or when the Playwright path is used.
Install Mechanism
There is no install spec (instruction-only) which is low-risk in isolation, but the presence of Playwright-based code implies a large dependency that is not declared. If someone runs the Playwright script, they will need to install Playwright and browsers — this mismatch is a packaging/information gap.
!
Credentials
No required env vars are declared, yet billing.py contains a hard-coded BILLING_API_KEY and SKILL_ID. Hard-coded secret-like values in distributed code are a red flag: they may allow the author (or anyone with the key) to charge or query balances, and the skill performs network calls to an external billing endpoint (skillpay.me) without disclosing required credentials.
Persistence & Privilege
The skill does not request always:true, no special OS restrictions, and does not declare config paths. It does not attempt to modify other skills or agent-wide settings in the provided files.
What to consider before installing
This skill is suspicious rather than clearly malicious. Before installing or running it: 1) Do not run the Python files on a production machine — run in an isolated environment if you want to inspect behavior. 2) Ask the author to explain why Playwright is included despite the README claiming it's unnecessary, and to either remove that code or add a proper install spec for Playwright and browsers. 3) Treat the hard-coded BILLING_API_KEY as sensitive: ask the author why a secret key is embedded, verify whether it's a test/demo key, and request that billing credentials be supplied via environment variables or handled by the platform rather than hard-coded. 4) Be aware the skill will make outbound HTTP requests to r.jina.ai, www.bitget.com and skillpay.me (including potential payment/charge operations). 5) Consider refusing installation or auditing network traffic until the above inconsistencies are resolved; if the embedded API key is real, consider requesting that it be revoked/rotated.

Like a lobster shell, security has layers — review code before you run it.

latestvk97dhwm30sc9368fzat1r4mdbh82c1yg

License

MIT-0
Free to use, modify, and redistribute. No attribution required.
Termshttps://spdx.org/licenses/MIT-0.html

Comments