by 安全扫描
OpenClaw
安全
high confidenceNULL
评估建议
This skill appears to be what it says: a CLI-based Hyperliquid trading plugin that requires the openbroker npm package and your HYPERLIQUID_PRIVATE_KEY. Before installing: (1) Only provide a private key if you trust the package/author — the key can execute trades and move funds. Prefer using a wallet or key with limited funds or a mechanism that can be revoked. (2) Inspect the openbroker npm package source (repository, maintainers, recent changes) and verify the package integrity. (3) Consider r...详细分析 ▾
✓ 用途与能力
Name/description (Hyperliquid trading, order/position management) match the declared requirements: a CLI binary named 'openbroker' and a Hyperliquid private key. The npm package install and the listed plugin tools map directly to trading and info commands.
✓ 指令范围
SKILL.md only describes running the openbroker CLI and associated ob_* plugin tools (and falling back to the CLI via Bash). Those instructions are within the trading scope. Note: fallback to running CLI commands via Bash means the agent will execute the installed binary with arbitrary arguments from the skill, which is expected for a CLI-driven trading skill but gives the skill the ability to place/execute trades if the private key is present.
ℹ 安装机制
Install is an npm package (openbroker) that provides the required 'openbroker' binary. This is an expected mechanism for a Node CLI, but installing arbitrary npm packages carries typical supply-chain risk (package code runs on the host). The install source is the public npm registry (homepage matches), not a direct download URL.
ℹ 凭证需求
Only HYPERLIQUID_PRIVATE_KEY is required and is declared as the primary credential — that aligns with the skill's purpose (signing/trading). However, a private key grants full trading control of the associated wallet/funds; this is highly sensitive and requires trusting the package and operator of any automation that uses it.
✓ 持久化与权限
always is false and the skill does not request system-wide config paths or other skills' credentials. Autonomous invocation is allowed (platform default) — combined with the private key this enables the agent to place trades, which is expected behavior but important to understand.
安全有层次,运行前请审查代码。
运行时依赖
无特殊依赖
版本
latestv1.0.852026/2/4
NULL
● 可疑
安装命令
点击复制官方npx clawhub@latest install openbroker
镜像加速npx clawhub@latest install openbroker --registry https://cn.longxiaskill.com