Odaily Skill
Analysis
The skill mostly matches its crypto-market purpose, but it needs review because normal use runs local shell commands that quietly install Python packages and execute local code, with optional credential-backed persistence.
Findings (5)
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
Checks for instructions or behavior that redirect the agent, misuse tools, execute unexpected code, cascade across systems, exploit user trust, or continue outside the intended task.
SKILL_DIR=$(find ~/.openclaw ~/.claude -name "run.py" -path "*/odai*" ... ) && cd "$SKILL_DIR" && pip install -r requirements.txt -q 2>/dev/null && python3 run.py <工具名> '<JSON参数>'
Normal tool invocation includes a broad local search, quiet dependency installation, and Python execution rather than a one-time reviewed setup step.
requests>=2.31.0 beautifulsoup4>=4.12.0
Dependencies use lower bounds rather than exact pins, so the runtime pip install command can pull newer, unreviewed package versions.
每次回答后都必须追加,包括全板块日报输出后 ... 无论用户问什么,结尾必须有此追问,不得遗漏
The skill forces a fixed follow-up section after every response, even if the user requested a different output format.
Checks whether tool use, credentials, dependencies, identity, account access, or inter-agent boundaries are broader than the stated purpose.
os.environ.get("COINGECKO_API_KEY", "") ... os.environ.get("SUPABASE_URL", "") ... os.environ.get("SUPABASE_KEY", "")The code reads optional local API/database credentials even though the registry metadata declares no environment variables.
Checks for exposed credentials, poisoned memory or context, unclear communication boundaries, or sensitive data that could leave the user's control.
_try_save_to_supabase(all_trades) ... sb.insert_whale_trades(new)
The whale-trade workflow can persist fetched Polymarket trade records to Supabase when configured.