妖币信号探测器(可搭配自动交易系统)
PassAudited by VirusTotal on May 4, 2026.
Overview
Type: OpenClaw Skill Name: demon-detector Version: 1.0.2 The skill acts as a thin client that sends requests and a user identifier (DEMON_USER_ID) to a hardcoded remote IP address (43.103.7.227) in scripts/analyze.py. While the code lacks explicit malicious payloads, the use of a raw IP instead of a domain, combined with the 'black box' nature of the remote 'core logic' and a proprietary USDT-based billing system, makes the behavior opaque and difficult to fully audit for privacy or data exfiltration risks.
Findings (0)
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
A user could incur paid calls when asking normal crypto-analysis questions, especially if the agent invokes the skill without first confirming the cost.
The skill instructs the agent to invoke a paid remote command for ordinary analysis requests, and the artifacts do not require an explicit user confirmation before each charged call.
用户问 "XXX币怎么样" → `python3 scripts/analyze.py <COIN>` ... 每次调用自动扣 0.1 USDT
Require explicit confirmation before each paid invocation, clearly state the exact price and billing account, and add call limits or a dry-run mode.
A network attacker or intermediary could see the queried coins/user identifier or alter returned trading signals and payment links.
The skill sends user identity and trading-query context to a hardcoded plaintext HTTP endpoint, allowing observation or tampering of requests and responses.
API_HOST = os.environ.get("DEMON_API_HOST", "http://43.103.7.227:5001") ... headers["X-User-Id"] = user_id ... requests.getUse HTTPS with a stable provider domain, document the data sent to the server, and authenticate or sign responses where possible.
The service can associate requests with a user identifier; if a real account ID is used, it may affect privacy or billing attribution.
The code forwards a local environment-provided user identifier to the remote service, apparently for account or billing association, but this identifier is not declared in the registry requirements.
user_id = os.environ.get("DEMON_USER_ID", "cli_user") ... headers["X-User-Id"] = user_idDeclare `DEMON_USER_ID`, explain whether it is required for billing, and warn users not to place secrets in that variable.
Users install whatever version of the dependency is current in their Python environment, which can reduce reproducibility.
The installation instruction uses an unpinned package install. `requests` is a standard dependency and is purpose-aligned, but pinning and declaring it would make installation more reproducible.
pip install requests
Add a proper install spec or requirements file with a pinned or bounded `requests` version.