📦 Jupiter Prediction Market — 预测市场客户端
v0.1.0Jupiter Prediction Market 的完整 Node.js 客户端,专为 AI 智能体设计,支持预测市场交易、投资组合管理与自动化策略执行,一键集成行情、下单与风控接口。
1· 293·0 当前·0 累计
by 安全扫描
OpenClaw
可疑
medium confidenceNULL
评估建议
This skill largely implements a Jupiter Prediction Market client, but there are a few things to check before using it:
- API key handling: The code expects a JUPITER_API_KEY environment variable or saves the key to config/api-key.json in the current working directory. The registry metadata does not declare this; assume the skill will read and may write an API key file. If you install it, avoid putting long-lived/privileged keys there — use a restricted/ephemeral key if possible.
- Persistence:...详细分析 ▾
⚠ 用途与能力
Name/description match the code: this is a Node.js client exposing endpoints and scripts for scanning markets, managing positions, and claiming payouts. However the registry metadata declared no required env vars/credentials while the SKILL.md and code clearly expect a JUPITER_API_KEY (or a config/api-key.json). Also some source files (src/market_manager.js) reference modules with different paths (../api_client, ../utils) that are not present, indicating sloppy packaging or incomplete code.
⚠ 指令范围
SKILL.md instructs the agent to use an API key (JUPITER_API_KEY) or config/api-key.json and to run bundled scripts that perform market scanning, claiming, and trading workflows. The instructions mention transactions require user Solana wallet signatures, but the scripts and client do not include wallet signing integration — they only pass ownerPubkey strings to API endpoints. The skill's runtime instructions legitimately require access to an API key and may persist it locally; they do not ask for unrelated system files, but they are vague about how signing/authorization for on-chain actions is handled.
✓ 安装机制
No install spec — instruction/code-only. package.json lists a single runtime dependency (cross-fetch) which is proportionate. There are no remote downloads or extract steps and no unusual external URLs in the repo, so installation risk is low from a supply-chain-download perspective. However the package will include code that performs filesystem operations (reading/writing config/api-key.json).
⚠ 凭证需求
Registry metadata declares no required environment variables, but both SKILL.md and src/utils/api-key.js expect JUPITER_API_KEY (process.env.JUPITER_API_KEY) or the config/api-key.json file. The ApiKeyManager can write the API key to disk (config/api-key.json) and read it; that is reasonable for a client library but the lack of declared env requirements in the metadata is an inconsistency. No other credentials are requested, and code does not attempt to read unrelated system credentials, but writing persistent API keys to the agent's working directory is a sensitive action that should be acknowledged.
⚠ 持久化与权限
always: false (good). But the code provides ApiKeyManager.setApiKey which writes config/api-key.json in process.cwd(), and ApiKeyManager.getApiKey will read from that file — so the skill can persist API credentials to disk. This is expected for a client library but is meaningful persistence within an agent environment and increases blast radius if an API key is misused. The skill does not request elevated system-wide privileges, but the ability to write a credentials file is noteworthy.
安全有层次,运行前请审查代码。
运行时依赖
无特殊依赖
版本
latestv0.1.02026/3/10
NULL
● 无害
安装命令
点击复制官方npx clawhub@latest install jupiter-prediction-market
镜像加速npx clawhub@latest install jupiter-prediction-market --registry https://cn.longxiaskill.com