ClawHub
Skill flagged — suspicious patterns detected

ClawHub Security flagged this skill as suspicious. Review the scan results before using.

River Autotrader

v1.0.0

Provides real-time River ($RIVER) crypto data including price, 24h change, 7-day trends, volatility, Staking rewards, TVL, with a 0.001 USDT fee per query.

0· 363·0 current·0 all-time
by@mrchillhigh
Security Scan
VirusTotalVirusTotal
Suspicious
View report →
OpenClawOpenClaw
Suspicious
high confidence
Purpose & Capability
The name/description describe a paid River ($RIVER) data service and the code and SKILL.md implement price/staking/TVL retrieval plus a payment flow — this aligns with the stated purpose. However, the skill also embeds a SkillPay/TokenPay API key and payment logic without declaring any required environment variables or credentials in the metadata, which is inconsistent with normal practice.
!
Instruction Scope
SKILL.md instructs the agent to create a payment order, return a payment link, verify payment, and then provide data. The included script performs HTTP requests to tokenpay.me (payment) and CoinGecko/app.river.inc (data). The instructions do not document the embedded default API key nor state the skill will fall back to returning data if payment creation fails (the script prints a warning and returns data), which contradicts the documented pay-per-call flow and gives the agent broad discretion to return data even when payment fails.
Install Mechanism
No install spec — instruction-only plus a Python script. No downloads or package installs are performed by an installer, which is low risk from an installation mechanism perspective.
!
Credentials
The code expects a SKILLPAY_API_KEY via environment but the skill metadata declares no required env vars. Worse, a long-looking API key is hard-coded in both references/config.md and the script as the default fallback, which is a secret-management and provenance risk (possible leaked/invalid/abused key). The skill should declare any required payment credential explicitly and must not embed secrets in files.
Persistence & Privilege
always:false and autonomous invocation are normal. The skill does not request persistent/always-on privileges nor attempt to modify other skills or system-wide settings.
What to consider before installing
This skill implements the paid River data flow but has multiple red flags you should address before installing: (1) It embeds a SkillPay/TokenPay API key directly in config and code — treat that as a leaked secret and ask the author to remove it and require SKILLPAY_API_KEY as a declared env var. (2) The skill metadata does not declare any required credentials despite performing payment operations; ask for explicit required env vars and documentation of what the key is/where it came from. (3) The script will return data even when payment creation fails (bypassing the pay requirement) — clarify intended behavior. (4) The skill's source/homepage is unknown; prefer skills with verifiable origin and privacy/payment policies. Recommended actions: request that the publisher (a) remove hard-coded secrets, (b) declare SKILLPAY_API_KEY in requires.env and document its scope, (c) provide a trustworthy homepage or repo, and (d) explain how payment verification is enforced. If you cannot verify these items or trust the publisher, avoid installing or using this skill (to avoid accidental charges, secret leakage, or untrusted payment endpoints).

Like a lobster shell, security has layers — review code before you run it.

latestvk97668yew94v8j26s952y8ryr582arra
363downloads
0stars
1versions
Updated 7h ago
v1.0.0
MIT-0
@mrchillhigh
latest
Download

River Autotrader / River 自动交易助手

概述 / Overview

本技能帮助用户追踪 River ($RIVER) 加密货币的实时信息,包括价格走势、波动率分析、Staking 收益、TVL 等关键数据。每次调用费用 0.001 USDT

This skill helps users track real-time information about River ($RIVER) cryptocurrency, including price trends, volatility analysis, Staking rewards, TVL and other key data. Fee: 0.001 USDT per call.

支付流程 / Payment Flow

  1. 用户发起查询 → 系统创建支付订单 → 返回支付链接
  2. 用户完成支付 → 系统验证支付 → 返回 River 数据
  3. 每次调用自动从用户收取 0.001 USDT

功能 / Features

1. 价格信息 / Price Information

  • 实时价格查询 (Real-time price)
  • 24小时涨跌 (24h change)
  • 7天走势图 (7-day trend)

2. 走势分析 / Trend Analysis

  • 价格趋势判断
  • 支撑位/阻力位分析
  • 市场情绪判断

3. 波动率监控 / Volatility Monitoring

  • 历史波动率计算
  • 异常波动警报
  • 风险等级评估

4. Staking 信息 / Staking Information

  • 当前 APR
  • 总质押量
  • 质押收益计算器
  • 投票权说明

5. 生态数据 / Ecosystem Data

  • TVL (Total Value Locked)
  • 支持的区块链
  • 产品功能介绍

触发条件 / Triggers

当用户询问以下内容时自动触发:

  • "River 价格" / "River price" / "RIVER 多少钱"
  • "RIVER 走势" / "RIVER trend" / "RIVER 行情"
  • "River 波动" / "River volatility" / "River 风险"
  • "River Staking" / "River 质押" / "River 收益"
  • "River 解锁" / "River unlock"
  • "River 空投" / "River airdrop"
  • "River TVL"
  • "River 生态" / "River 是什么"
  • 询问任何关于 app.river.inc 的信息

数据来源 / Data Sources

  1. River 官网: https://app.river.inc
  2. CoinGecko API: https://www.coingecko.com
  3. DefiLlama: https://defillama.com

使用示例 / Usage Examples

用户: River 价格多少?
助手: [创建支付订单,收取 0.001 USDT]
    支付完成后返回:
    - 当前价格
    - 24h 涨跌
    - 走势图
    - 波动率分析
    - Staking 信息

支付说明 / Payment Details

  • 费用: 0.001 USDT / 次
  • 支付方式: USDT (TRC20)
  • 支付链接: 通过 skillpay.me 生成
  • 验证方式: 自动验证支付状态

参考文档 / Reference Documents

注意事项 / Notes

  1. 本技能提供的信息仅供参考,不构成投资建议
  2. 加密货币投资有风险,请谨慎决策
  3. 投资前请自行做好研究 (DYOR)
  4. Information provided is for reference only, not investment advice
  5. Crypto investment has risks, please make careful decisions
  6. Always do your own research (DYOR) before investing

Comments

Loading comments...