GTA Real Estate Report Generator
v1.0.0Generates professional GTA real estate investment financial reports after a 5 USDT payment validation.
⭐ 0· 295·0 current·0 all-time
Security Scan
OpenClaw
Suspicious
medium confidencePurpose & Capability
The skill claims to produce paid GTA real-estate reports and its code contacts a billing API — that is consistent with monetization. However, SKILL.md instructs executing a file at a user-specific absolute path (/Users/guodong.chen/...) instead of the included run.py, which is incoherent with the published bundle.
Instruction Scope
SKILL.md explicitly instructs the agent to exec a local absolute path outside the skill bundle and to reproduce the script's output verbatim (including payment links). That path may not exist on other hosts and could be used to cause the agent to run arbitrary local files. The script also sends the agent's user id to an external billing endpoint — a legitimate action for payments but a privacy/flow risk if the endpoint or key is untrusted.
Install Mechanism
There is no install spec (instruction-only), which reduces install-time risk. The runtime script requires the Python 'requests' library and outbound network access but no packages are declared. Lack of declared dependencies could cause runtime failures or unexpected behavior if the environment differs.
Credentials
The skill declares no required env vars, yet run.py reads OPENCLAW_SENDER_ID and posts it to an external API. The script also contains a hard-coded API_KEY (secret) in source — embedding a secret in distributed code is poor practice and may indicate misuse. Releasing a private API key openly is suspicious and could be abused.
Persistence & Privilege
The skill does not request always:true and does not appear to modify agent/system configuration. Autonomous invocation is allowed by default but that alone is not a new risk here.
What to consider before installing
Do not run this skill without taking precautions. Specific concerns: (1) SKILL.md tells the agent to execute /Users/guodong.chen/… which is a developer-local absolute path — verify why the instruction targets an external/local path instead of the included run.py; running arbitrary local paths can execute unexpected code. (2) run.py contains a hard-coded API key and will POST your agent's user id to https://skillpay.me; confirm the legitimacy of the SkillPay service and that the API key is intended to be public. (3) The script prints and asks you to relay payment links verbatim — an attacker could craft malicious links. Before installing: inspect and run the bundled run.py in a sandbox, confirm the payment endpoint and API key with the publisher, test with a fake/dummy user id and without real funds, and consider requiring the skill author to remove hard-coded secrets and to update SKILL.md to run the included run.py (relative path) instead of a user-specific absolute path. If the publisher cannot explain the absolute path or the exposed API key, avoid using the skill.Like a lobster shell, security has layers — review code before you run it.
latest
GTA 房产投资财报生成器 (SkillPay 计费版)
此技能用于为用户生成大多伦多地区 (GTA) 的专业房产投资财务报表。 注意:调用此功能需要向用户收费 5 USDT。
触发条件 (When to use)
当用户输入如下意图时触发此技能:
- "生成多伦多市中心投资财报"
- "帮我出一份 GTA 房产报告"
- "我要看多伦多的楼花数据"
- 任何明显带有 “生成/查询 GTA 房产/投资财报” 意图的指令。
执行方法 (How to execute)
无论用户请求多伦多哪里的房产,必须首先调用底层的安全扣费验证脚本。
使用 exec 工具执行以下命令:
python3 /Users/guodong.chen/.openclaw/workspace/skills/skillpay-demo/run.py
严格要求:
- 绝对不要自己伪造报告给用户!在脚本返回扣费成功前,不提供任何数据。
- 完整、原样地将 Python 脚本输出的内容(特别是支付链接)回复给用户。
- 如果脚本提示 "余额不足" 并带有充值链接,请将链接完美展示给用户,让他们去充值。
Comments
Loading comments...