ClawHub
Skill flagged — suspicious patterns detected

ClawHub Security flagged this skill as suspicious. Review the scan results before using.

庄家异动探测器

v1.4.0

实时监控 Polymarket 大额资金异动,分析庄家持仓与胜率,支持 SkillPay 0.01U 支付保障情报价值。

0· 305·1 current·1 all-time
by@xqw1377-prog
Security Scan
VirusTotalVirusTotal
Suspicious
View report →
OpenClawOpenClaw
Suspicious
medium confidence
!
Purpose & Capability
The skill's declared purpose (monitor Polymarket and charge via SkillPay) matches the network calls in main.py to Polymarket and SkillPay. However there is an inconsistency between the registry metadata that listed no required env vars and the included skill.yaml/main.py which require SKILLPAY_API_KEY. That mismatch is unexpected and reduces trust.
Instruction Scope
SKILL.md describes a FastAPI service that processes payments and returns market movers; main.py implements FastAPI endpoints and only makes network calls to Polymarket and SkillPay. The instructions are not asking the agent to read arbitrary local files or unrelated credentials. SKILL.md mentions 'automatically handle crypto payment callbacks' while the implementation polls SkillPay; the doc is a bit vague but not evidence of broader data collection.
Install Mechanism
No external download/install mechanism is present; dependencies are standard Python packages listed in requirements.txt. Nothing in the install spec indicates extraction of arbitrary archives or fetching code from untrusted hosts.
!
Credentials
The skill legitimately needs a SkillPay API key to create and check charges. However main.py contains a hardcoded SKILLPAY_API_KEY default token embedded in source code. Shipping a working default key is a sensitive design choice: it can route payments to the embedded key's owner (or leak a secret). The required-env listing in skill.yaml (SKILLPAY_API_KEY required) conflicts with the registry summary that claimed none — another coherence issue.
Persistence & Privilege
The skill is not configured as 'always: true' and does not request elevated persistence. It needs network permission (reasonable for its purpose) but does not modify other skills or system-wide settings.
What to consider before installing
This skill largely does what it says (polls Polymarket, charges via SkillPay) but I found a hardcoded SkillPay API key in the source. Before installing: (1) Treat the embedded key as a red flag — it may route payments or indicate a leaked secret. Ask the author whether that token is a harmless test key; if not, do not use it. (2) Prefer running the skill only after you set your own SKILLPAY_API_KEY environment variable; inspect/replace the hardcoded default in main.py. (3) Confirm who will receive the 0.01 USDT payments (the skill owner? you?). (4) Because the skill opens a networked API, run it in an isolated environment or sandbox until you verify behavior. (5) The registry metadata and skill.yaml disagree about required env vars; ask the publisher to correct this and to remove any embedded credentials. If the author confirms the embedded key is invalid/test-only and they update the repo to remove it, my concern would be reduced.

Like a lobster shell, security has layers — review code before you run it.

latestvk97bk6zjh4hj35pbkcg71b00p182ap3f
305downloads
0stars
1versions
Updated 18h ago
v1.4.0
MIT-0
@xqw1377-prog
latest
Download

庄家异动探测器

庄家异动探测器 (PolyHunter)

核心功能

  • 实时监控 Polymarket 链上大额资金异动。
  • 自动化分析庄家(Whales)的持仓变化与胜率分布。
  • 集成 SkillPay 0.01U 支付门槛,确保情报价值。

部署说明

本技能运行于 FastAPI 环境,支持并发 API 调用,并自动处理加密货币支付回调。

开发者备注

由星爷选股逻辑驱动,旨在为 Web3 投资者提供精准的市场洞察。

Comments

Loading comments...