by 安全扫描
OpenClaw
可疑
high confidenceThe skill's code and metadata disagree about required credentials and billing, and a hard-coded SkillPay API key is embedded — the package looks like what it says (whale monitoring) but has incoherent and risky payment/credential handling that you should not trust without remediation.
评估建议
This skill largely does what it claims (whale monitoring), but there are important red flags you should address before installing: (1) payment.py contains a hard-coded SkillPay API key — embedded secrets are unsafe and may indicate misuse of a billing account; (2) the package metadata claims no required env vars while the code needs multiple API keys and webhook tokens (Etherscan/Alchemy/Moralis, TELEGRAM_*, DISCORD_WEBHOOK_URL, SKILLPAY_USER_ID); (3) the skill will make outbound network calls a...详细分析 ▾
⚠ 用途与能力
The skill claims no required environment variables in the registry metadata, but the code and documentation clearly expect multiple external API keys (Etherscan/Alchemy/Moralis and notification webhooks) and integrate with a billing provider (SkillPay). _meta.json also lists SKILLPAY_API_KEY / SKILLPAY_USER_ID as required, conflicting with the top-level 'required env vars: none'. This mismatch is incoherent and unjustified for the stated purpose.
⚠ 指令范围
SKILL.md describes normal monitoring actions, but the bundled runtime code accesses environment variables (TELEGRAM_BOT_TOKEN, TELEGRAM_CHAT_ID, DISCORD_WEBHOOK_URL, CUSTOM_WEBHOOK_URL, SKILLPAY_USER_ID) and will make outbound requests to multiple third-party services (explorer APIs, notification endpoints, and skillpay.me). The SKILL.md does not declare these required credentials or explain billing verification steps that payment.py performs, giving the agent broad network activity not surfaced in the metadata.
ℹ 安装机制
There is no install spec (instruction-only), which reduces installation-level risk. However, the skill is not truly instruction-only — it includes multiple executable Python scripts that will read/write files and perform network calls when run. No external archives or unusual installers are used.
⚠ 凭证需求
The code expects or reads many sensitive environment variables (notification webhooks, explorer API keys, and SKILLPAY user id). More importantly, payment.py contains a hard-coded SkillPay API key (sk_...), which is a secret embedded in the code — this is unexpected and disproportionate. The registry metadata and SKILL.md fail to clearly declare required credentials, creating a mismatch and potential for billing or credential misuse.
✓ 持久化与权限
The skill does not request always:true and does not modify other skills or global agent settings. It will create and write local files (alert_configs.json, alert_history.json, whale_monitor.log, config.yaml) which is expected for a monitoring daemon. Autonomous invocation is enabled by default (not flagged here) but increases blast radius combined with the other concerns.
安全有层次,运行前请审查代码。
运行时依赖
无特殊依赖
版本
latestv1.0.02026/4/11
- 首次发布鲸鱼监控工具,支持多链地址追踪、大额转账预警、交易所资金流向与持仓分析 - 支持自定义预警阈值,多通道(Telegram、Discord、Webhook)实时通知 - 提供分级/冷却预警管理和历史记录存档 - 已集成 SkillPay,每次调用 0.01 USDT
● 可疑
安装命令 点击复制
官方npx clawhub@latest install shenmeng-whale-alert-monitor-batch3-042026
镜像加速npx clawhub@latest install shenmeng-whale-alert-monitor-batch3-042026 --registry https://cn.clawhub-mirror.com
技能文档
虚拟币大户账户预警监测助手 — 追踪聪明钱的每一步
核心能力
1. 鲸鱼钱包监控
- 地址追踪 - 监控特定钱包地址的所有链上活动
- 标签系统 - 为已知大户添加标签(交易所、机构、鲸鱼)
- 行为分析 - 识别积累、派发、洗盘等模式
2. 大额转账预警
- 自定义阈值 - 设置ETH、BTC、USDT等代币的预警金额
- 多链支持 - 支持以太坊、BSC、Arbitrum等主流链
- 实时通知 - Telegram/Discord/Webhook多渠道推送
3. 交易所资金流向
- 流入监控 - 检测大额资金转入交易所(潜在抛压)
- 流出监控 - 检测资金从交易所流出(积累信号)
- 净流量分析 - 计算交易所净流入/流出
4. 持仓变化分析
- 余额追踪 - 监控钱包余额变化
- 成本估算 - 估算鲸鱼持仓成本
- 盈亏分析 - 追踪未实现盈亏
5. 预警管理
- 分级预警 - 按金额分级(普通/重要/紧急)
- 冷却机制 - 防止重复预警
- 历史记录 - 保存所有预警历史
使用工作流
场景1: 监控特定鲸鱼钱包
当你想追踪某个已知大户的钱包活动时:- 添加目标地址到监控列表
- 设置交易金额阈值
- 配置通知方式
- 开始接收实时预警
场景2: 交易所资金流向监测
当你想监测市场资金流向时:- 选择关注的交易所
- 监控大额流入/流出
- 分析资金流向对市场的影响
场景3: 巨鲸行为模式识别
当你想理解大户行为模式时:- 分析历史交易数据
- 识别积累/派发模式
- 预测可能的市场动向
数据源
- 以太坊主网 - 通过 Etherscan API 获取链上数据
- BSC - 通过 BscScan API 获取链上数据
- Arbitrum - 通过 Arbiscan API 获取链上数据
定价
已接入 SkillPay,每次调用 0.01 USDT
使用方法
激活技能后,你可以这样说:
- "帮我监控这个地址 0x... 的大额转账"
- "设置一个预警,当转账金额超过 100 ETH 时通知我"
- "查看最近大额资金流入交易所的情况"
- "分析一下这个鲸鱼钱包最近的行为模式"
- "给我看看最近24小时的巨鲸动向汇总"
注意事项
- 链上数据分析需要时间,大时间范围查询可能需要等待
- 预警基于已确认的交易,可能存在延迟
- 鲸鱼行为不代表市场必然走势,请结合其他信息判断
数据来源:ClawHub ↗ · 中文优化:龙虾技能库
OpenClaw 技能定制 / 插件定制 / 私有工作流定制
免费技能或插件可能存在安全风险,如需更匹配、更安全的方案,建议联系付费定制