by 安全扫描
OpenClaw
可疑
high confidenceNULL
评估建议
Key points before installing or running this skill:
- Inconsistency to fix: billing.js requires SKILLPAY_API_KEY, but that variable is omitted from some top-level metadata. Ensure you set SKILLPAY_API_KEY and SKILLPAY_USER_ID before running, or the skill will throw an error when it attempts to bill.
- Sensitive secret: the skill requires POLYMARKET_PRIVATE_KEY (an Ethereum private key). Only use a wallet with minimal funds and no long-term or high-value holdings. Prefer a throwaway or funded-on...详细分析 ▾
ℹ 用途与能力
The name, description, and code align: the skill fetches market data (Binance public API), computes RSI/MACD/EMA signals, discovers Polymarket markets and places orders via @polymarket/clob-client and ethers. Required binaries (node) and npm dependencies (@polymarket/clob-client, ethers) are proportional to an auto-trader. Billing via SkillPay is consistent with the billing behavior described. One mismatch: the registry-level 'Required env vars' omitted SKILLPAY_API_KEY while the SKILL.md and code require it.
⚠ 指令范围
SKILL.md instructs running trader.js and setting environment variables; the runtime instructions match the code's actions (fetch Binance, call Polymarket/Gamma APIs, call SkillPay billing, sign orders with a private key). However the top-level metadata (and the registry metadata supplied to OpenClaw) and the SKILL.md table are inconsistent about required env vars: billing.js throws if SKILLPAY_API_KEY is not set, but SKILL.md metadata and the registry required list omitted it in some places — this could cause silent failures or confusion. The skill reads a sensitive POLYMARKET_PRIVATE_KEY from environment (expected for signing but high‑sensitivity). All network endpoints the code uses are explicit (binance.com, gamma-api.polymarket.com, clob.polymarket.com, skillpay.me).
✓ 安装机制
Install uses public npm packages (@polymarket/clob-client and ethers). This is an expected, traceable mechanism for a Node-based trading skill (moderate risk typical for npm installs). No arbitrary downloads or extracted archives are used.
⚠ 凭证需求
Requesting an Ethereum private key (POLYMARKET_PRIVATE_KEY) is functionally necessary to sign orders, so it's proportionate to the trading purpose but is high privilege and sensitive. Billing requires SKILLPAY_API_KEY and SKILLPAY_USER_ID; those are proportionate to the described SkillPay billing flow. The problem: the registry metadata (summary at the top of the evaluation) lists only POLYMARKET_PRIVATE_KEY and SKILLPAY_USER_ID as required, but billing.js enforces SKILLPAY_API_KEY; SKILL.md also lists SKILLPAY_API_KEY in its 'Required Environment Variables' table. This inconsistency is risky because a user following only the registry-level requirements may get runtime errors or misconfigure credentials. Optional POLYMARKET_API_* variables are reasonable for higher rate limits. No unrelated secrets or extraneous cloud credentials are requested.
✓ 持久化与权限
always:false (default) and the skill does not request system-wide persistence or attempt to modify other skills or agent settings. It only suggests running itself as a persistent process (pm2) which is normal for a daemonized trader. The skill can be invoked autonomously (platform default) but that alone is not being flagged.
安全有层次,运行前请审查代码。
运行时依赖
无特殊依赖
版本
latestv1.0.02026/3/5
NULL
● 可疑
安装命令
点击复制官方npx clawhub@latest install polymarket-autotrader-hyy
镜像加速npx clawhub@latest install polymarket-autotrader-hyy --registry https://cn.longxiaskill.com