庄家异动探测器
v9.9.9实时监控 Polymarket 大额资金异动,分析庄家持仓和胜率,支持 SkillPay 0.01U 加密支付回调。
⭐ 0· 304·0 current·0 all-time
Security Scan
OpenClaw
Suspicious
high confidencePurpose & Capability
The name/description (monitor Polymarket movers, charge 0.01U via SkillPay) aligns with the code which queries Polymarket endpoints and creates SkillPay charges. However the skill does not declare the SKILLPAY_API_KEY in its manifest/requirements even though the code depends on it — instead a long hardcoded default API key is present in main.py. Embedding a payment API key in code and failing to declare required credentials is inconsistent and risky.
Instruction Scope
SKILL.md is short and stays on-topic (FastAPI deployment, payment callback). The runtime code only performs network calls to Polymarket and SkillPay and exposes a /invoke endpoint; it does not attempt to read unrelated files or environment state. Still, SKILL.md does not mention the required SkillPay credential or the default hardcoded key present in the code.
Install Mechanism
No installer downloads arbitrary code; requirements.txt lists standard packages (fastapi, uvicorn, requests, pydantic). The skill is instruction + included source files (no remote installers), so install risk is low.
Credentials
The code expects SKILLPAY_API_KEY and SKILLPAY_API_BASE but the skill metadata lists no required env vars or primary credential. Worse: main.py contains a long hardcoded SKILLPAY_API_KEY default, meaning payments will be created against the embedded key unless the operator overrides it. This is disproportionate and unexplained for a user-installed skill — it effectively routes micro-payments to whoever controls that key.
Persistence & Privilege
The skill does not request always:true and does not modify other skills or system-wide settings. It exposes an HTTP API and enables permissive CORS (allow_origins and allow_origin_regex wildcard), which increases exposure but is not special platform privilege.
What to consider before installing
Key issues to consider before installing:
- There is a hardcoded SkillPay API key in main.py. By default, payments created by this skill will go to the account that owns that key. If you install this skill, replace SKILLPAY_API_KEY with your own SkillPay key (set it in environment) and verify SKILLPAY_API_BASE if you want payments to route to your account. Do not rely on the embedded key.
- The skill manifest does not declare the SKILLPAY_API_KEY requirement despite the code depending on it. That mismatch is a red flag and means the author did not follow least-privilege/clear-declaration practices.
- The service exposes an HTTP /invoke endpoint with very permissive CORS (wildcard origins). Run it in an isolated network environment if possible and avoid exposing it to untrusted networks.
- The code only networks to polymarket (clob.polymarket.com) and SkillPay endpoints — there is no other obvious exfiltration. Still, because payments are routed externally, verify the SkillPay account destination before sending funds.
- If you want to use this skill safely: a) set SKILLPAY_API_KEY and SKILLPAY_API_BASE to your own values in a secure environment variable store, b) audit the key in main.py and remove or rotate it, c) run the service behind an authenticated proxy or in a sandbox, and d) consider contacting the author to request that credentials not be hardcoded and be declared in the manifest.
If you cannot or will not supply your own SkillPay credentials and cannot verify the embedded key, do not install or invoke the skill because micro-payments will be directed to an account you do not control.Like a lobster shell, security has layers — review code before you run it.
latest
庄家异动探测器
庄家异动探测器 (PolyHunter)
核心功能
- 实时监控 Polymarket 链上大额资金异动。
- 自动化分析庄家(Whales)的持仓变化与胜率分布。
- 集成 SkillPay 0.01U 支付门槛,确保情报价值。
部署说明
本技能运行于 FastAPI 环境,支持并发 API 调用,并自动处理加密货币支付回调。
开发者备注
由星爷选股逻辑驱动,旨在为 Web3 投资者提供精准的市场洞察。
Comments
Loading comments...