by 安全扫描
OpenClaw
安全
medium confidenceThe skill appears to be what it claims — a Node-based DeFi stablecoin yield monitor that queries public APIs and contains marketing/docs — with no obvious disproportionate credential or install demands, though a few minor inconsistencies and privacy/operational notes deserve attention before you run it.
评估建议
This package is generally coherent with its stated purpose, but before running or publishing it you should: 1) Review scripts/monitor.mjs and other .mjs files to see exactly which external endpoints they call and whether any hard-coded endpoints or webhooks exist; 2) Run the code in a safe environment (container or VM) and inspect outgoing network requests (to confirm only DeFiLlama/Coingecko and expected APIs are contacted); 3) Be cautious with the publish instructions — they ask you to obtain/...详细分析 ▾
✓ 用途与能力
Name/description match what the repository contains: Node scripts for monitoring, comparing, calculating, alerting, and reporting yields from public DeFi data sources (DeFiLlama/Coingecko). Required binaries (node, npm) and a node-fetch dependency are appropriate for this purpose.
ℹ 指令范围
SKILL.md and scripts instruct running local Node scripts (e.g., node scripts/monitor.mjs) and reference DeFiLlama and other public APIs — this fits the stated purpose. Several promotional files include CLI publish instructions and paths (e.g., /root/.openclaw/...) and wallet addresses; those are documentation/promotion artifacts and not required at runtime. Some scripts (alert.mjs) describe notification modes like telegram/webhook/email but only simulate behavior; confirm whether monitor.mjs actually performs network requests before running.
ℹ 安装机制
There is no formal install spec in the registry metadata (no automated download/install), but package.json and multiple scripts are included. That is coherent for a skill you run locally, but the metadata's 'instruction-only' note (if present elsewhere) is slightly misleading given the presence of code files. No remote binary downloads or obscure URLs are used in the manifest.
✓ 凭证需求
The skill declares no required environment variables or credentials. Some documentation (publish guides) shows using a CLAWHUB_TOKEN for publishing to ClawHub — that is an optional publisher-action and not required for normal monitoring. No requests for unrelated cloud credentials or secret environment variables are present in runtime scripts.
✓ 持久化与权限
The skill does not request always:true and does not declare any system config paths or privileged persistent hooks. It runs as local Node scripts; nothing in the package indicates it will force-enable itself or modify other skills.
安全有层次,运行前请审查代码。
运行时依赖
无特殊依赖
版本
latestv1.0.62026/3/5
✨ 新增 history.mjs 历史记录功能,支持 APY 趋势分析
● 无害
安装命令
点击复制官方npx clawhub@latest install yield-shark
镜像加速npx clawhub@latest install yield-shark --registry https://cn.longxiaskill.com