ClawHub
Skill flagged — suspicious patterns detected

ClawHub Security flagged this skill as suspicious. Review the scan results before using.

Odds Movement Monitor 盘口监控

v1.0.0

盘口变化监控助手 - 实时监控足球、篮球等体育赛事的亚盘、欧赔、大小球盘口变化。检测异常波动、大额注单信号、机构态度转变。支持多平台对比、历史趋势分析、自动预警通知。当用户需要监控盘口变化、追踪赔率走势、发现投注机会时使用。

0· 26·0 current·0 all-time
by@shenmeng·duplicate of @shenmeng/shenmeng-odds-movement-monitor
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
Capability signals
CryptoCan make purchases
These labels describe what authority the skill may exercise. They are separate from suspicious or malicious moderation verdicts.
VirusTotalVirusTotal
Suspicious
View report →
OpenClawOpenClaw
Suspicious
high confidence
!
Purpose & Capability
The code implements an odds-monitor/analytics tool that legitimately uses an odds API and can send notifications — that aligns with the description. However metadata and code disagree about credentials: _meta.json claims SkillPay uses SKILLPAY_API_KEY/SKILLPAY_USER_ID, SKILL.md advertises pay-per-call, the repository metadata lists no required env vars, yet payment.py hard-codes a billing API key in source. Embedding a provider API key in code is unnecessary for the stated purpose and is disproportionate.
!
Instruction Scope
SKILL.md describes monitoring, data sources, and a top-of-file billing notice, which is consistent with the payment integration. But the runtime code (payment.py) will contact skillpay.me and attempt to charge users automatically (verify_payment / charge_user). The SKILL.md does not document how user identity is provided to billing (payment.py reads SKILLPAY_USER_ID env but defaults to 'anonymous_user'), nor does it explain the hard-coded billing key. The instructions therefore omit an important and potentially impactful runtime behavior (automatic remote billing calls).
Install Mechanism
No installer or remote download is used; the skill is delivered as source files and a requirements.txt (aiohttp, requests). That is lower-risk than arbitrary downloads. No obfuscated installers or remote code pulls were observed.
!
Credentials
The code expects ODDS_API_KEY (Odds API) and may use SKILLPAY_USER_ID, which are appropriate. But the repository metadata/registry claimed no required env vars while _meta.json declares billing API envs — inconsistent. Critically, payment.py contains a hard-coded BILLING_API_KEY (cleartext secret) and uses it to authorize billing calls to skillpay.me. Hard-coding a provider API key in shipped code is disproportionate and exposes a secret that should be stored in environment/config, not in source.
Persistence & Privilege
The skill does not request always:true and does not modify other skills. However it is allowed autonomous invocation (platform default). Combined with its ability to call the billing API and charge users, autonomous execution increases the blast radius: the skill can make network billing requests each time it runs.
What to consider before installing
This skill implements the advertised odds-monitoring features, but it embeds a hard-coded SkillPay API key in payment.py and has inconsistent environment/metadata declarations. Risks: (1) the embedded billing key is sensitive — if valid it can be abused or leaked; (2) the skill will call an external billing endpoint and attempt to charge users automatically, which is not fully documented in SKILL.md; (3) registry metadata and files disagree about which env vars are required. Before installing or running: - Do NOT run this on any machine with sensitive credentials or on production agents until the author fixes the issues. - Ask the author to remove the hard-coded BILLING_API_KEY from source and require SKILLPAY_API_KEY be provided via environment/config; verify they rotate the exposed key if it has been published. - Request clear documentation on how SKILLPAY_USER_ID is supplied and whether billing calls occur automatically on each invocation. - Consider running the skill in an isolated environment (sandbox/container) and monitor outbound network calls to skillpay.me and api.the-odds-api.com. - If you do not trust the billing provider or the author, do not install — you could be charged unexpectedly or expose the embedded key. If you want, I can: (a) point to the exact lines containing the embedded key and the billing calls, (b) suggest a minimal patch to require SKILLPAY_API_KEY from env, or (c) produce instructions to run the code in a network-restricted sandbox for audit.

Like a lobster shell, security has layers — review code before you run it.

latestvk97f537h964e16kpnpx4d95m41847m6c

License

MIT-0
Free to use, modify, and redistribute. No attribution required.
Termshttps://spdx.org/licenses/MIT-0.html

Runtime requirements

📊 Clawdis

Comments