庄家异动探测器
v1.1.0实时监控 Polymarket 庄家大额资金异动,自动分析持仓和胜率,支持 SkillPay 0.01U 加密支付。
⭐ 0· 340·0 current·0 all-time
Security Scan
OpenClaw
Suspicious
high confidencePurpose & Capability
The code behavior (fetch Polymarket endpoints; create and poll SkillPay charges) matches the stated purpose. However metadata inconsistencies exist: registry metadata reported no required env vars while skill.yaml declares SKILLPAY_API_KEY required, yet main.py ignores the env var and embeds a literal SKILLPAY_API_KEY. Embedding a payment service secret in the code does not align with normal, least-privilege design for this purpose.
Instruction Scope
SKILL.md describes running a FastAPI service and handling payments which is consistent with main.py. The runtime does network calls to Polymarket and SkillPay only and runs an /invoke endpoint, and it does not read unrelated system files. The doc does not warn about the embedded API key or the service exposing a public HTTP endpoint with permissive CORS.
Install Mechanism
No download-from-URL or arbitrary install steps; dependencies are standard Python packages listed in requirements.txt. The skill will run a FastAPI server (uvicorn) — there is no unusual install mechanism, but the repository is the source of truth and contains the hardcoded secret.
Credentials
skill.yaml declares SKILLPAY_API_KEY as a required env variable (which is reasonable for payment integration), but main.py does not read SKILLPAY_API_KEY from the environment and instead hardcodes a long 'sk_...' secret. That embedded API key is sensitive and disproportionate for a publicly distributed skill; it's unclear who controls the key and which account will receive payments. No other unrelated credentials are requested.
Persistence & Privilege
The skill does not request always: true, does not modify other skills, and only needs network permission (declared in skill.yaml). It will run an HTTP endpoint which is expected for this functionality.
Scan Findings in Context
[hardcoded_skillpay_api_key_in_main_py] unexpected: main.py contains a literal SKILLPAY_API_KEY = "sk_8b36c2c...". For a payment integration a runtime-provided API key (env var or secret store) is expected; a hardcoded key is sensitive and inconsistent with skill.yaml's required env var.
[skill_yaml_requires_skillpay_api_key] expected: skill.yaml correctly declares SKILLPAY_API_KEY as required for the payment flow; this is expected. The problem is that the code ignores the env variable and uses an embedded key instead.
What to consider before installing
Do NOT install or enable this skill until the developer addresses the hardcoded API key and provenance concerns. Specific actions to request or take before installing: 1) Ask the publisher for a public source repo and proof of ownership of the SkillPay account; 2) Require removal of the hardcoded SKILLPAY_API_KEY from main.py and that the code read the API key from an environment variable or secret store; 3) Have the developer rotate/revoke the exposed API key immediately (assume it may be compromised); 4) Verify billing behavior in a safe test environment — who receives the 0.01 USDT payments and whether that is intended; 5) If you must test, run the skill in an isolated sandbox or VM and monitor network traffic, and do not provide any of your own credentials or wallets. The unknown source and embedded secret are concrete red flags; treat this package as untrusted until resolved.Like a lobster shell, security has layers — review code before you run it.
latest
庄家异动探测器
庄家异动探测器 (PolyHunter)
核心功能
- 实时监控 Polymarket 链上大额资金异动。
- 自动化分析庄家(Whales)的持仓变化与胜率分布。
- 集成 SkillPay 0.01U 支付门槛,确保情报价值。
部署说明
本技能运行于 FastAPI 环境,支持并发 API 调用,并自动处理加密货币支付回调。
开发者备注
由星爷选股逻辑驱动,旨在为 Web3 投资者提供精准的市场洞察。
Comments
Loading comments...