📦 pionex-portfolio — 技能工具

v1.0.0

Use when the user asks for Pionex account balance, available funds, or “how much USDT do I have”. Read-only; requires API credentials. Do NOT use for market...

0· 18·0 当前·0 累计

by @pibrandon·MIT-0

生产力工具

下载技能包

License

MIT-0

最后更新

2026/4/16

安全扫描

VirusTotal

无害

查看报告

OpenClaw

可疑

high confidence

The SKILL.md describes a read-only Pionex balance skill, but the package and credential requirements in the instructions are not declared in the registry metadata and the install step asks to install a third‑party npm CLI — these mismatches and the lack of declared credential handling are concerning.

评估建议

This skill claims to be read-only but the package and credential requirements appear only inside SKILL.md and are not declared in the registry — that's a red flag. Before installing or enabling it, ask the publisher to: 1) explicitly list required credentials (names and recommended least-privilege scopes) and where/how they are stored; 2) provide the source (npm page and upstream repo) for @pionex/pionex-ai-kit so you can audit it; 3) explain what 'pionex-ai-kit onboard' does (interactive, netwo...

详细分析 ▾

⚠ 用途与能力

The skill's purpose (read-only Pionex account balances) is reasonable, but the registry metadata lists no required credentials or binaries while SKILL.md explicitly requires installing an npm package and states it requires API credentials. The declared runtime bins and credential needs in SKILL.md are not reflected in the skill's top-level requirements, which is incoherent.

⚠ 指令范围

SKILL.md instructs the agent to install @pionex/pionex-ai-kit and run 'pionex-trade-cli account balance' and to run 'pionex-ai-kit onboard' to provide API credentials. The instructions do not describe how credentials are provided/stored or what permissions are required. 'onboard' could be interactive or write secrets to disk/network, which the registry metadata does not disclose.

⚠ 安装机制

There is no install spec in the registry, but SKILL.md contains an install block that installs a public npm package (@pionex/pionex-ai-kit) and adds global bins. Installing a third-party npm package (global) is a moderate risk because arbitrary code will be executed on install/runtime; the registry should have declared this and justified it.

⚠ 凭证需求

The skill states it requires API credentials but the registry lists no required env vars or primary credential. This omission prevents an informed review of the exact secret types needed. The skill should declare the exact credentials (e.g., PIONEX_API_KEY, PIONEX_API_SECRET) and recommend least-privilege (read-only) tokens.

ℹ 持久化与权限

always:false (good). However, SKILL.md suggests performing a global npm install, which writes binaries to disk and may persist configs/credentials via the 'onboard' flow. Autonomous invocation combined with undisclosed credential access increases potential blast radius, so clarify install and storage behavior.

安全有层次，运行前请审查代码。

License

MIT-0

可自由使用、修改和再分发，无需署名。

查看条款 ↗

运行时依赖

无特殊依赖

版本

latestv1.0.02026/4/16

Initial release

● 无害

安装命令

点击复制

官方npx clawhub@latest install pionex-portfolio

镜像加速npx clawhub@latest install pionex-portfolio --registry https://cn.longxiaskill.com镜像同步中

需要定制？告诉我你的需求 →

数据来源：ClawHub ↗ · 中文优化：龙虾技能库