by 安全扫描
OpenClaw
可疑
medium confidenceNULL
评估建议
This skill is plausible for crypto analytics but contains inconsistencies and sensitive steps you should review before installing: (1) The registry lists no required environment variables, yet SKILL.md instructs storing HEURIST_API_KEY, WALLET_PRIVATE_KEY, or INFLOW keys in a local .env — confirm the publisher and why the metadata omits these. (2) If you use the x402 flow, the skill asks you to place a wallet private key in plaintext in the project root; avoid using your primary wallet. Use an e...详细分析 ▾
⚠ 用途与能力
The skill description (crypto/DeFi analytics, mesh API) is plausible for needing an API key or payment method, but the published registry metadata declares no required environment variables or credentials while the SKILL.md explicitly instructs users to add HEURIST_API_KEY, WALLET_PRIVATE_KEY, or INFLOW_* keys to a .env file. The missing declared requirements are an incoherence: the skill will need secrets but metadata does not advertise them.
⚠ 指令范围
SKILL.md instructs the agent (and user) to read the project .env file to confirm credentials and to store private keys in that file. It also includes detailed multi-step payment flows (HTTP endpoints, on‑chain signing via cast/Foundry, and Inflow flows). These instructions cause the agent to access local files containing secrets and to construct signatures/payments; that is within the skill's stated purpose for payment-enabled calls, but it also grants the skill broad ability to read sensitive local credentials and to perform actions with them — and those actions are not reflected in the registry's declared requirements.
ℹ 安装机制
This is an instruction-only skill (no install spec). However the references describe installing Foundry/cast via curl | bash for x402 on-chain payments. Because the skill doesn't include an install block, that installation is left to the user/agent; it's a normal pattern but important to know (curl | bash installs have supply-chain risk).
⚠ 凭证需求
The SKILL.md asks for three classes of sensitive credentials: HEURIST_API_KEY (expected), WALLET_PRIVATE_KEY (on‑chain payment — high privilege), and INFLOW_USER_ID/INFLOW_PRIVATE_KEY (payment). Requiring a wallet private key is proportionate if you choose the x402 flow, but the registry metadata did not declare any required env vars and the instructions ask the agent to read .env directly. Storing a raw private key in a project .env is risky; if you must use on‑chain payments, a dedicated ephemeral wallet or delegated signing is safer.
✓ 持久化与权限
The skill does not request always:true and does not declare modifications to other skills or global config. Autonomous invocation is allowed (platform default) but not uniquely privileged here. The skill's runtime behavior doesn't request permanent system-level presence beyond reading .env and interacting with remote Mesh endpoints.
安全有层次,运行前请审查代码。
运行时依赖
无特殊依赖
版本
latestv1.0.32026/1/27
NULL
● 可疑
安装命令
点击复制官方npx clawhub@latest install heurist-mesh
镜像加速npx clawhub@latest install heurist-mesh --registry https://cn.longxiaskill.com