Crypto Address Sentinel — 实用工具
v1.0.0监控 wallet balances 和 -chain activity. Get alerts when balances change or when specified conditions met. Use 用于 tracking portfolio, detecting un...
0· 87·0 当前·0 累计
by @zhiuannnn 安全扫描
OpenClaw
可疑
medium confidenceThe skill's stated purpose (monitoring wallet addresses) is plausible, but the runtime instructions are vague and inconsistent with the registry metadata and leave room for unexpected network activity and data exfiltration (via webhooks) without clarifying what credentials, RPC providers, or storage are used.
评估建议
Before installing, verify these points: (1) Confirm where monitoring will run and which RPC or API providers will be used (public nodes, Alchemy/Infura, or other services) and whether any additional API keys will be requested at runtime. (2) Treat ALERT_WEBHOOK as sensitive — only provide a webhook you control or trust, since it will receive addresses and balance/activity data. (3) Ask the publisher to reconcile metadata: the registry should list WATCHED_ADDRESSES and ALERT_WEBHOOK if they are r...详细分析 ▾
ℹ 用途与能力
The skill's name, description, and listed features (balance monitoring, activity detection, multi-chain support) align with each other. However, the registry metadata declares no required environment variables or credentials while the SKILL.md defines WATCHED_ADDRESSES, ALERT_WEBHOOK, and CHECK_INTERVAL_MINUTES — a mismatch that should be reconciled. The SKILL.md claims support for multiple chains but gives no guidance on which RPC providers or APIs it will use (no Alchemy/Infura/third-party API keys mentioned).
⚠ 指令范围
SKILL.md is high-level and leaves critical implementation choices to the agent: how to fetch on-chain data, where to store/persist the watchlist (add/remove are documented but persistence mechanism is unspecified), and how periodic checking is scheduled. The optional ALERT_WEBHOOK allows sending potentially sensitive balance/activity data to an arbitrary external endpoint — expected for alerts but also a plausible vector for exfiltration if misused. The instructions do not reference reading unrelated files or hidden env vars, but they are open-ended and grant broad discretion.
✓ 安装机制
No install spec or code files are present (instruction-only), so there is no installer risk or archive download. This minimizes disk/write risk but also means runtime behavior depends entirely on how the agent implements the instructions.
⚠ 凭证需求
The SKILL.md expects WATCHED_ADDRESSES and ALERT_WEBHOOK (and an interval), but the skill registry lists no required env vars or primary credential. This inconsistency can lead to surprise at runtime. ALERT_WEBHOOK could transmit sensitive wallet addresses and balances to external systems; while that is a legitimate alerting mechanism, it should be explicitly called out in metadata and the user should ensure the webhook endpoint is trusted. No credentials for blockchain providers are requested — either the agent will use public endpoints (rate/accuracy concerns) or it may prompt for additional keys at runtime.
ℹ 持久化与权限
always:false and default autonomous invocation are set (normal). The design implies periodic monitoring; if the agent is allowed to run autonomously this could result in recurring network calls and webhook deliveries. The skill does not request elevated system privileges or configuration changes, but the lack of a clear persistence model for the watchlist (how add/remove are saved) is a functional gap.
安全有层次,运行前请审查代码。
运行时依赖
无特殊依赖
安装命令
点击复制官方npx clawhub@latest install crypto-address-sentinel
镜像加速npx clawhub@latest install crypto-address-sentinel --registry https://cn.longxiaskill.com 镜像可用
本土化适配说明
Crypto Address Sentinel — 实用工具 安装说明: 安装命令:["openclaw skills install crypto-address-sentinel","npx clawhub@latest install crypto-address-sentinel"]