Odaily Skill
Security checks across static analysis, malware telemetry, and agentic risk
Overview
This appears to be a legitimate crypto-market information assistant, but it runs local Python/pip commands and can use optional API or Supabase credentials if present.
Before installing, review the Python files and requirements, run it in an isolated environment if possible, and only provide CoinGecko or Supabase credentials if you intentionally want those integrations enabled.
Static analysis
No static analysis findings were reported for this release.
VirusTotal
VirusTotal findings are pending for this skill version.
Risk analysis
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
Using the skill may install Python packages and run local code from the detected skill directory.
Normal use involves Bash, local Python execution, and pip installation. This is central to the skill's design, but it changes the local Python environment and relies on a path search.
SKILL_DIR=$(find ~/.openclaw ~/.claude -name "run.py" -path "*/odai*" ... ) && cd "$SKILL_DIR" && pip install -r requirements.txt -q ... && python3 run.py
Review the skill directory and requirements first; prefer a virtual environment and a fixed install path if possible.
A future dependency version could behave differently from the version reviewed here.
Dependencies use lower-bound version ranges rather than pinned hashes or a lockfile. These are common packages and purpose-aligned, but future versions could change behavior.
requests>=2.31.0 beautifulsoup4>=4.12.0
For stricter assurance, pin dependency versions or install in an isolated environment.
If these environment variables are present, the skill may use those provider credentials during market-data or persistence operations.
The skill can read optional CoinGecko and Supabase credentials from the environment, while registry metadata declares no required env vars. This appears purpose-aligned and optional, not exfiltrative.
COINGECKO_API_KEY: ... os.environ.get("COINGECKO_API_KEY", "") ... SUPABASE_URL ... SUPABASE_KEYOnly expose credentials intended for this skill, and use restricted Supabase keys if enabling persistence.
Responses may include an extra follow-up menu even when the user did not ask for one.
The skill instructs the agent to append a fixed module-selection prompt after every response. This is disclosed UX behavior, but it can override user preferences for terse or differently formatted replies.
这是强制规则,任何情况下不得省略... 无论用户问什么,结尾必须有此追问
Be aware of the forced footer; the skill author could soften this to respect explicit user formatting requests.