Solana Market
v0.1.0查询 Solana 生态代币实时价格和市场概览。当用户想知道代币价格、行情、市场状况时触发。
⭐ 0· 246·1 current·1 all-time
Security Scan
OpenClaw
Suspicious
high confidencePurpose & Capability
The name/description and primary scripts (get-price.js, market-overview.js) align with a Solana price/market skill. However, the package also contains check-token-risk.js and track-whale.js which are not listed in the SKILL.md 'Available Scripts' table, introducing capability creep. track-whale.js implements whale-tracking via Helius (requires an API key) which is plausible for a market tool but is not documented as required. The presence of risk-checking and whale-tracking scripts without being declared in the manifest is an incoherence.
Instruction Scope
SKILL.md instructs running node scripts under skills/solana-market/scripts/*. The code, however, resolves a shared directory outside the skill (path.resolve(..., '..','..','..','shared')), which means at runtime the scripts will load modules from a sibling shared folder outside the skill bundle. That allows access to code/config outside the skill and is not documented. Additionally, track-whale.js checks config.heliusApiKey at runtime even though no env or config requirement is declared in SKILL.md—so instructions do not fully describe required runtime context.
Install Mechanism
There is no install spec; the skill is instruction-only with node scripts present. Lack of an install mechanism reduces risk from arbitrary downloads. However, the scripts depend on an external shared directory and Node runtime being available, which may cause runtime failures if the expected shared modules are absent.
Credentials
The registry metadata declares no required environment variables, but track-whale.js explicitly requires config.heliusApiKey (HELIUS_API_KEY) and will exit if it's not configured. This is a direct mismatch between declared environment needs and actual code. The skill may therefore prompt for or expect sensitive credentials that are not declared up front.
Persistence & Privilege
The skill does not request always:true and makes no changes to other skills or system-wide settings. It appears to run only when invoked, so there are no elevated persistence privileges requested by the manifest.
What to consider before installing
Before installing or running this skill: 1) Ask the author to update SKILL.md to list all available scripts (check-token-risk.js and track-whale.js) and to declare required environment variables (e.g., HELIUS_API_KEY) and any other config. 2) Inspect the referenced shared/ modules (price-service, services, config, wallet, formatter, errors) because the scripts resolve and execute code from a shared folder outside the skill — that code can affect behavior and may read credentials or call external APIs. 3) Do not provide real API keys or secrets until you confirm where they will be used and stored; consider running the skill in a sandboxed environment first. 4) If you only need price queries, request a minimal version that does not include whale-tracking or external shared dependencies. 5) If you proceed, monitor network activity and limit the skill's access to secrets (e.g., create an API key with read-only or limited scope for Helius/CoinGecko).Like a lobster shell, security has layers — review code before you run it.
Runtime requirements
💲 Clawdis
Binsnode
latest
Solana 市场情报
When to Use
- 用户问代币价格("SOL 多少钱")
- 用户想看整体市场行情
- 用户提到"价格"、"行情"、"市场"、"多少钱"
Workflow
用户问某个代币的价格
- 从用户消息中提取代币名称
node skills/solana-market/scripts/get-price.js <SYMBOL>- 支持的代币:SOL、USDC、USDT、JUP、RAY、BONK
- 展示价格,并主动提供相关操作建议:
- "SOL 目前 $150。需要设置价格警报吗?"
- "JUP 目前 $0.82。要看看你持有多少吗?"
用户想看市场概览
node skills/solana-market/scripts/market-overview.js- 展示所有代币价格列表
- 如果用户已连接钱包,可以主动建议:"要看看你的持仓在这个行情下的表现吗?"
代币不支持时
如果用户查询的代币不在支持列表中,友善告知:
"目前支持查询 SOL、USDC、USDT、JUP、RAY、BONK 的价格。你想查哪个?"
Guardrails
- 不预测走势 — 不说"看起来要涨/跌了"
- 数据来源透明 — 可以告知用户"价格来自 CoinGecko"
- 不推荐交易 — 展示价格后不建议买入/卖出
- 缓存说明 — 如果用户反复查询相同代币,告知价格有 30 秒缓存
Available Scripts
| 脚本 | 用途 | 参数 |
|---|---|---|
get-price.js | 查询价格 | <SYMBOL> [--lang en] |
market-overview.js | 市场概览 | [--lang en] |
Comments
Loading comments...