by 安全扫描
OpenClaw
可疑
medium confidenceThe skill's functionality (local portfolio CLI + sentiment-driven reports) is plausible, but there are multiple inconsistencies and undeclared requirements (Node/npm, home-dir database access, package names, version mismatch, and a claimed security badge) that warrant caution before installing or running.
评估建议
Key things to check before installing/using this skill:
- Verify the source: SKILL.md claims a GitHub repo (https://github.com/sopaco/money-never-sleep) and a 'ClawHub Security Verified' badge, but the registry summary showed Source: unknown — manually visit the repo, confirm it exists, inspect release artifacts, and check commit history and maintainers.
- Confirm package names & integrity: the doc references multiple npm package names (e.g., @never-sleeps/mns-cli and platform-specific @never-s...详细分析 ▾
⚠ 用途与能力
SKILL.md describes a CLI that requires Node/npm and reads/writes ~/.mns (config.toml and mns.db). The registry metadata lists no required binaries, no config paths, and no primary credential — that contradicts the documented need to access ~/.mns and to run prebuilt binaries via npm/npx. The SKILL.md also claims a GitHub source and a 'ClawHub Security Verified' badge while top-level metadata shows Source: unknown and no homepage. These mismatches are unexplained and reduce trust.
ℹ 指令范围
Instructions tell the agent to run mns CLI commands (init, report, sentiment, buy/sell, price) which will create/overwrite files under the user home (~/.mns) and fetch the CNN Fear & Greed Index over the network. That behavior is coherent with the stated purpose (portfolio management + sentiment) but the agent will be instructed to create/overwrite user files and execute external npm binaries (npx). The docs include explicit examples of spawning child processes (npx) — expected for a CLI skill but expands execution surface.
⚠ 安装机制
No install spec is declared in the registry (instruction-only), yet SKILL.md tells users/agents to install or run platform-specific npm packages (npm install -g @never-sleeps/mns-cli; npx @never-sleeps/bin-<platform>). That means code will be fetched and executed from the npm registry at runtime. Using npx/npm is common but carries moderate risk (arbitrary code execution) and the registry should have declared this requirement and package names explicitly. The SKILL.md also mixes package name variants (mns-cli vs bin-darwin-arm64 / cli-${PLATFORM}), which is confusing.
⚠ 凭证需求
The skill declares no required environment variables in the registry, yet it requires filesystem access to ~/.mns and network access for sentiment/report. Those are not declared in the metadata (no required config paths listed). While no secrets are requested, the ability to create/overwrite files in a user's home directory and to run arbitrary npm-distributed binaries is significant and should have been explicitly declared.
✓ 持久化与权限
The skill does not request always:true and does not declare elevated platform privileges. It will persist data under ~/.mns (its own config and DB) which is normal for a CLI tool; it does not claim to modify other skills or system-wide agent settings.
安全有层次,运行前请审查代码。
运行时依赖
无特殊依赖
版本
latestv0.5.32026/4/20
- Now explicitly states that the CLI does not execute real trades or connect to broker APIs; all trading actions must be performed manually and recorded in the tool. - Clarified "交易记录" (trade recording) replaces "交易执行" (trade execution) in skill description and documentation. - Added "ClawHub Security Verified" certification, with details about safety, local data storage, and open-source transparency. - Expanded skill triggers and improved language around configuration/reset warnings for storage initialization. - Updated metadata: new version number, added security and source code fields.
● Pending
安装命令
点击复制官方npx clawhub@latest install money-never-sleep
镜像加速npx clawhub@latest install money-never-sleep --registry https://cn.longxiaskill.com