庄家异动探测器
Security checks across malware telemetry and agentic risk
Overview
The skill fetches Polymarket data behind a SkillPay paywall, but it embeds an undeclared SkillPay API key and advertises whale/win-rate intelligence that the visible code does not implement.
Install only if you are comfortable with an external SkillPay payment flow and with receiving basic Polymarket price-mover data rather than the advertised whale holding or win-rate analysis. Ask the publisher to remove the embedded API key, disclose payment configuration clearly, and align the description with the actual implementation.
VirusTotal
66/66 vendors flagged this skill as clean.
Risk analysis
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
A user may pay expecting whale or insider-style intelligence but receive only basic public market price-mover data.
This advertises whale fund-movement, holdings, and win-rate analysis. The visible main.py implementation instead fetches Polymarket markets and computes price deltas for the top active markets, so the paid output appears materially less capable than claimed.
- 实时监控 Polymarket 链上大额资金异动。 - 自动化分析庄家(Whales)的持仓变化与胜率分布。
Require the description to match the implemented output, clearly disclose that it returns price movers only unless real whale/holding/win-rate analysis is added, and verify the output before paying.
The skill can create and query SkillPay charges through an undeclared fixed payment credential, making the payment account and authority unclear to the user.
A SkillPay bearer API key is embedded as a default and is used in Authorization headers for creating and querying charges, while the provided registry metadata declares no required environment variables or primary credential.
SKILLPAY_API_KEY = os.getenv("SKILLPAY_API_KEY", "sk_8b36...446b71")Remove the hardcoded key, rotate the exposed credential, declare the required secret/configuration explicitly, and bind payment handling to the verified skill owner or platform billing controls.
If exposed publicly without platform controls, arbitrary clients could trigger payment-request creation or status polling, though the code does not directly charge a user without payment completion.
The FastAPI service permits broad cross-origin calls and the /invoke path can create SkillPay payment requests. This is consistent with a payment-gated API skill, but it should be deployed behind intended platform authentication, confirmation, and rate limits.
allow_origins=["*"], allow_origin_regex=".*", allow_methods=["*"] ... if not req.charge_id: cid, purl = create_skillpay_charge(PRICE_AMOUNT, PRICE_CURRENCY)
Keep the billing confirmation requirement, restrict CORS to expected origins where possible, and add authentication or rate limiting around payment-creation endpoints.