by 安全扫描
OpenClaw
可疑
high confidenceThe skill mostly matches its stated purpose (crypto market + sentiment analysis) but the code reads undisclosed environment variables (via a .env file), requires multiple LLM/news API keys not declared in the metadata, and logs key presence — these mismatches and secret-access behaviors are concerning.
评估建议
What to consider before installing:
- Metadata mismatch: The registry lists no required env vars, but the code expects and uses LLM API keys (GROQ_API_KEY, ANTHROPIC_API_KEY, GOOGLE_API_KEY) and a TAVILY_API_KEY. Do not provide production secrets until you confirm which keys are actually needed.
- .env loading: The code explicitly loads ../.env. That will read any secrets placed there; avoid sharing a .env containing unrelated credentials. Prefer running in a disposable/sandbox environment.
- N...详细分析 ▾
⚠ 用途与能力
The code, README, and package.json show the agent legitimately needs LLM API keys (GROQ_API_KEY, ANTHROPIC_API_KEY, GOOGLE_API_KEY) and a Tavily API key for news — this is consistent with a sentiment-analysis agent. However, registry metadata claimed no required env vars while the source loads a .env and expects those keys. The mismatch between declared requirements and actual code is an incoherence that should be resolved before trusting the skill.
⚠ 指令范围
The SKILL.md is minimal, but the included code (fetcher/analyzer/llm adapters) instructs runtime behavior: loading ../.env, calling external APIs (CoinGecko, Tavily) and LLM services, and enforcing strict system prompts for LLM output. The code reads a .env file directly (potentially accessing any secrets placed there) and logs presence of API keys. The runtime instructions therefore go beyond what's visible in the SKILL.md front matter and metadata.
ℹ 安装机制
There is no formal install spec in registry metadata (instruction-only), but the package.json and package-lock.json indicate npm dependencies (@anthropic-ai/sdk, openai, dotenv). Installing would pull packages from the public npm registry (moderate risk). No external arbitrary download URLs or archive extraction were found.
⚠ 凭证需求
The code requires multiple secret API keys (GROQ_API_KEY, TAVILY_API_KEY, ANTHROPIC_API_KEY, GOOGLE_API_KEY depending on provider selection). These are proportionate to needing LLM and news services, but the skill: (a) did not declare required env vars in metadata, (b) automatically loads ../.env (which may contain other unrelated secrets), and (c) logs API key presence — increasing risk of accidental leakage. The skill also prints LLM_PROVIDER and API key presence to stdout which may appear in logs.
✓ 持久化与权限
always is false; the skill does not request persistent platform-level privileges or modify other skills. It does not claim or require 'always: true' and does not attempt to change agent/system configuration outside its own code.
安全有层次,运行前请审查代码。
运行时依赖
无特殊依赖
版本
latestv1.0.12026/3/7
- Dependency version updates in package.json to improve stability and compatibility. - No changes to core features or documentation.
● 无害
安装命令 点击复制
官方npx clawhub@latest install agent-crypto-lens
镜像加速npx clawhub@latest install agent-crypto-lens --registry https://cn.clawhub-mirror.com
数据来源:ClawHub ↗ · 中文优化:龙虾技能库
OpenClaw 技能定制 / 插件定制 / 私有工作流定制
免费技能或插件可能存在安全风险,如需更匹配、更安全的方案,建议联系付费定制