提供加密货币实时价格查询、技术指标分析(MA/RSI/MACD)和交易信号生成,支持多币种批量监控。
Security Analysis
high confidenceThe skill's crypto analysis functionality is plausible, but the package contains hardcoded SkillPay billing keys/IDs and setup scripts that modify and publish files—these are inconsistent with the declared requirements and warrant careful review before running.
Name/description promise basic crypto data and indicators (CoinGecko). The repository also contains explicit payment/billing integration (SkillPay) and scripts to configure/enable a paid edition. That extra capability can be legitimate, but the skill metadata declares no required credentials or primary credential while the code embeds SkillPay API keys and Skill IDs — a clear mismatch.
SKILL.md instructs running the included Python scripts (expected). However the shipped helper scripts (auto_setup.sh, configure_skillpay.sh, setup_skillpay.sh) will edit files in ~/.openclaw/workspace, replace Skill IDs inside scripts, run npx clawhub publish, and call SkillPay billing endpoints. Those setup/publish steps have side effects (filesystem changes, network calls, and publishing) beyond a simple analysis tool and are not documented as requiring credentials. They also rely on a hardcoded API key in the code.
There is no formal install spec (instruction-only), which reduces automatic install risk. The included scripts do call external tools (npx clawhub publish) and make outbound HTTP requests. No arbitrary binary downloads or extract-from-unknown-URL steps were found, but publishing via npx will reach the network and may install packages at runtime.
Registry metadata declares no required env vars, yet crypto_analyzer.py and paid variants reference SKILLPAY_API_KEY and include a default API key string. Multiple files also include a hardcoded BILLING_API_KEY/SKILL_ID. Requesting or embedding a billing API key (and using it by default) is disproportionate and inconsistent with declared requirements and with a free CoinGecko-based analyzer.
The skill is not always:true and does not request elevated agent privileges. However the setup scripts will modify files under the user's ~/.openclaw/workspace and invoke publish commands — i.e., they change the user's skill workspace and may publish changes to ClawHub. This is normal for an authoring/publishing workflow but is a persistent action the user should consent to.
Guidance
This skill appears to implement the claimed crypto analysis features, but there are red flags you should address before running anything: (1) The package embeds SkillPay billing API keys and Skill IDs in multiple scripts—do NOT run setup or paid scripts unless you trust the key owner and understand the billing flow. Replace or remove any hardcoded keys and set proper environment variables (e.g., SKILLPAY_API_KEY) instead. (2) The included setup scripts will edit files in ~/.openclaw/workspace and call 'npx clawhub publish'—review those commands and their effects, and run them only from a controlled environment or a clone. (3) If you intend to use the paid functionality, create your own SkillPay credentials and update the scripts rather than using the bundled defaults; rotate keys if you accidentally used them. (4) Audit network endpoints (https://skillpay.me and CoinGecko) and confirm they are legitimate for your use. If you want, provide the exact lines with the API key/published SKILL_ID you see and I can point out where to change them and what safer defaults to use.
Latest Release
v1.0.5
- Upgrade version to 1.0.5 in SKILL.md. - No user-facing feature updates or documentation changes except for version bump.
More by @imgolye
Published by @imgolye on ClawHub
