加密货币自学系统。每天早上9点自动推送学习内容;每次调用都必须产出小白友好、可直接学习的详细报告(不是只给标题),并通过 web_search 检索并整合最新资料。包含完整学习大纲(小白向、投资向、进阶投资三个阶段),支持进度跟踪、跳过与重置。
Security Analysis
high confidenceThe skill promises daily, web_search-backed, long structured learning reports and strict output rules, but the bundled code does not perform web searches or generate the required detailed reports—therefore behavior and claims are inconsistent.
The manifest and SKILL.md claim the agent must perform web_search, integrate latest sources, and always produce long (>=450字) multi-section lessons. The bundled scripts (crypto_learning.py and learn.py) only read local content.json/progress.json and output short, simple messages or JSON objects. There is no implementation of web_search, network retrieval, nor enforcement of the detailed output template and hard constraints. The README/schedule.sh mention sending via a message tool, but no credentials or real sending implementation exist. This mismatch indicates the skill will not deliver the advertised capabilities without additional platform features or code changes.
SKILL.md instructs reading progress.json/content.json (which the code does) and explicitly requires web_search and synthesizing multiple external sources. No code calls network or browser APIs; schedule.sh only runs local scripts and writes to /tmp. The SKILL.md also imposes strict output formatting rules (6 modules, term explanations, 3 self-test questions, >=450字), none of which are validated or produced by the included code. If the agent runtime provides a separate web_search capability and is expected to follow SKILL.md instructions at call time, that could satisfy some behavior, but the packaged code alone does not implement or enforce the described scope.
No install specification is provided (instruction-only plus scripts). No external download, package installation, or archive extraction is present in the bundle. This minimizes install-time risk—nothing external is automatically fetched by an installer.
The skill declares no required environment variables, no credentials, and no config paths. The code references only local files inside the skill (content.json, progress.json) and writes a temporary file /tmp/crypto-learning-today.txt in schedule.sh. There is no apparent request for unrelated secrets or privileged credentials.
always is false and the skill does not request permanent platform-level privileges. It persists progress to progress.json within the skill directory (expected behavior for a learning tracker). schedule.sh suggests a cron-driven push but does not actually register a system-wide cron job—deployment/configuration would be required. No modification of other skills or system-wide configs is present.
Guidance
This skill's description promises automated daily lessons that fetch and synthesize web sources and always produce long, structured reports, but the included scripts only read local content/progress and print short messages. Before installing or relying on it: - Decide which behavior you expect: if you need live web searches and the strict report format, you'll need either (A) the platform's web_search/browser capability hooked into the agent at runtime and the agent instructed to follow SKILL.md exactly, or (B) the skill code modified to perform web requests and generate the long formatted reports. The bundle as-is will not perform web searches. - Test locally: run learn.py and crypto_learning.py commands (today/next/status/reset) to see the actual outputs and how progress.json is updated. - Messaging/scheduling: schedule.sh just writes to /tmp and echoes content; it does not actually send messages. If you expect automatic 9:00 pushes to Telegram or another channel, implement and secure the message-sending step and set up a proper scheduler. - Data persistence: progress.json is stored in the skill directory and will be modified by the scripts—backup if you care about the data. - Security posture: no credentials are requested and no external installers are used, so direct exfiltration risk from this bundle is low; however, if you or a maintainer extend the skill to call external services or add message-sending (e.g., Telegram API), inspect those additions and protect any tokens. If you want this to behave as advertised, ask the author to (1) implement the web_search/synthesis step or explicitly state that the platform's web_search will be used at runtime, and (2) implement/enforce the SKILL.md output constraints or remove them to match actual code.
Latest Release
v1.0.1
sync updates
More by @hmzo
Published by @hmzo on ClawHub
