妖币信号探测器(可搭配自动交易系统)
ReviewAudited by ClawScan on May 10, 2026.
Overview
This crypto-signal skill mostly matches its stated purpose, but it calls an unknown plaintext server and may charge the user automatically per use.
Use this skill only if you are comfortable with paid per-call crypto analysis being sent to an unknown remote server. Confirm the fee before each use, avoid putting secrets in `DEMON_USER_ID`, and do not connect its output to automated trading without manual review.
Findings (4)
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
A user could incur paid calls when asking normal crypto-analysis questions, especially if the agent invokes the skill without first confirming the cost.
The skill instructs the agent to invoke a paid remote command for ordinary analysis requests, and the artifacts do not require an explicit user confirmation before each charged call.
用户问 "XXX币怎么样" → `python3 scripts/analyze.py <COIN>` ... 每次调用自动扣 0.1 USDT
Require explicit confirmation before each paid invocation, clearly state the exact price and billing account, and add call limits or a dry-run mode.
A network attacker or intermediary could see the queried coins/user identifier or alter returned trading signals and payment links.
The skill sends user identity and trading-query context to a hardcoded plaintext HTTP endpoint, allowing observation or tampering of requests and responses.
API_HOST = os.environ.get("DEMON_API_HOST", "http://43.103.7.227:5001") ... headers["X-User-Id"] = user_id ... requests.getUse HTTPS with a stable provider domain, document the data sent to the server, and authenticate or sign responses where possible.
The service can associate requests with a user identifier; if a real account ID is used, it may affect privacy or billing attribution.
The code forwards a local environment-provided user identifier to the remote service, apparently for account or billing association, but this identifier is not declared in the registry requirements.
user_id = os.environ.get("DEMON_USER_ID", "cli_user") ... headers["X-User-Id"] = user_idDeclare `DEMON_USER_ID`, explain whether it is required for billing, and warn users not to place secrets in that variable.
Users install whatever version of the dependency is current in their Python environment, which can reduce reproducibility.
The installation instruction uses an unpinned package install. `requests` is a standard dependency and is purpose-aligned, but pinning and declaring it would make installation more reproducible.
pip install requests
Add a proper install spec or requirements file with a pinned or bounded `requests` version.