by 安全扫描
OpenClaw
安全
medium confidenceThe skill's code and instructions are coherent with a read-only BTC risk snapshot using public exchange APIs; nothing in the provided files requests secrets, installs software, or performs obvious writes, but the script content was truncated in the listing so full-file review is recommended.
评估建议
This skill appears to do what it says: fetch public market endpoints and produce a read-only risk snapshot. Before installing/using it: (1) review the full script (the provided listing was truncated) to ensure there are no hidden network endpoints, telemetry, or file writes in the unseen tail; (2) run the quick-audit commands in an isolated environment or container and monitor outbound network traffic to confirm only the documented exchange domains are contacted; (3) do not provide any API keys,...详细分析 ▾
✓ 用途与能力
Name/description request public options/perp/spot data and the repository contains a Python script that only calls public exchange REST endpoints (Deribit, Binance, Coinbase, OKX, Bybit). No unrelated binaries, services, or credentials are requested.
✓ 指令范围
SKILL.md restricts runtime behavior to running the included script and interpreting its JSON output; the documented commands and audit path focus on read-only HTTP queries and explicit disclosure of data gaps. The instructions do not ask the agent to read unrelated local files or send data to third-party endpoints.
✓ 安装机制
No install spec — instruction-only with an included Python script. This is the lowest-risk install model. The script uses the standard requests library; no downloads from untrusted URLs are present in the provided portion.
✓ 凭证需求
The skill declares no required environment variables, credentials, or config paths. The script as provided performs only unauthenticated public API calls; there is no apparent reason for secrets or elevated access.
✓ 持久化与权限
The skill is not always-included and does not request persistent system changes. SKILL.md asserts the tool is read-only and will not write files or mutate exchange state; the visible code follows that model.
安全有层次,运行前请审查代码。
运行时依赖
无特殊依赖
版本
latestv1.0.02026/3/8
Promote to product-ready 1.0.0 and improve ClawHub summary copy: clearer professional positioning, confidence-aware risk snapshot framing, and stronger market-facing presentation.
● 无害
安装命令 点击复制
官方npx clawhub@latest install btc-risk-radar
镜像加速npx clawhub@latest install btc-risk-radar --registry https://cn.clawhub-mirror.com
技能文档
Generate a verifiable BTC risk snapshot from public data, then produce a concise analyst conclusion.
This skill is a read-only heuristic risk-state framework, not a full institutional analytics stack. Several fields are deliberate proxies / approximations and must be presented as such.
Workflow
- Run
scripts/btc_risk_radar.pyto collect current public data and compute metrics. - Read JSON output first; treat it as the source of truth.
- Explain conclusions with explicit confidence, caveats, and data gaps.
- Avoid deterministic predictions; present risk state (GREEN/AMBER/RED) and trigger reasons.
- If venue coverage is partial, keep going and surface degraded confidence rather than pretending coverage is complete.
Quick Audit Path
For a fast review:
- Run
python3 skills/btc-risk-radar/scripts/btc_risk_radar.py --sources - Run
python3 skills/btc-risk-radar/scripts/btc_risk_radar.py --json - Confirm the script only performs read-only public HTTP requests and returns a market snapshot with caveats.
- Verify that proxy metrics and partial-data conditions are explicitly disclosed in output.
Commands
python3 skills/btc-risk-radar/scripts/btc_risk_radar.py --json
python3 skills/btc-risk-radar/scripts/btc_risk_radar.py --sources
python3 skills/btc-risk-radar/scripts/btc_risk_radar.py --version
python3 skills/btc-risk-radar/scripts/btc_risk_radar.py --prompt "用户问题"
python3 skills/btc-risk-radar/scripts/btc_risk_radar.py --lang en
python3 skills/btc-risk-radar/scripts/btc_risk_radar.py --lang zh
python3 skills/btc-risk-radar/scripts/btc_risk_radar.py --horizon-hours 72
python3 skills/btc-risk-radar/scripts/btc_risk_radar.py --event-mode high-alert
python3 skills/btc-risk-radar/scripts/btc_risk_radar.py --audience beginner --lang zh
Safety / Scope Boundary
- Read-only skill: query public market APIs only.
- Use no authentication, cookies, API keys, private accounts, or wallet access.
- Execute no trades, place no orders, and mutate no exchange state.
- Write no files and send no external messages as part of normal use.
- Produce analysis only; not investment advice.
Output Policy
- Default language behavior:
auto. - If
--lang autoand the prompt contains Chinese, switch final narrative to Chinese. - If
--lang autoand no Chinese is detected, use English. --jsonoutput is language-neutral.- Always include:
as_of_utc
- key metrics (ATM IV, RR25, RR15, put-volume proxy, funding, basis)
- availability
- data_gaps
- degraded_mode
- 72h validation matrix (validation_72h)
- confidence (confidence.score, confidence.level)
- action trigger set (action_triggers)
- data-source note and caveats
- Audience modes:
pro (default): concise trading/risk language
- beginner: plain-language educational explanation with metric interpretation
- Event modes:
normal (default)
- high-alert (more sensitive thresholds for macro/event windows)Interpretation Guardrails
put_buy_share_proxyis a proxy from put/call volume split, not true aggressor signed-flow.- RR and ATM IV are computed from front-expiry delta-nearest options; this is robust but may differ from proprietary dashboards.
- Funding regime is an aggregated public snapshot, not a full term-structure model.
- RED means elevated downside risk pricing, not guaranteed crash.
- Partial venue failure should lower confidence, not silently disappear from the narrative.
Data Sources (public)
- Deribit Public API
/public/get_instruments
- /public/get_order_book
- /public/get_book_summary_by_currency
- /public/get_index_price
- /public/get_book_summary_by_instrument
- Coinbase Public API
/v2/prices/BTC-USD/spot
- Binance Public API (optional)
/api/v3/ticker/price
- OKX Public API
/api/v5/market/ticker
- /api/v5/public/funding-rate
- Bybit Public API
/v5/market/tickers
数据来源:ClawHub ↗ · 中文优化:龙虾技能库
OpenClaw 技能定制 / 插件定制 / 私有工作流定制
免费技能或插件可能存在安全风险,如需更匹配、更安全的方案,建议联系付费定制