📦 31Third Safe Rebalancer — 安全再平衡
v0.2.0基于策略的 31Third ExecutorModule 安全投资组合再平衡助手,自动调仓并确保符合预设风控规则。
0· 266·0 当前·0 累计
by 下载技能包
最后更新
2026/4/21
安全扫描
OpenClaw
可疑
medium confidenceNULL
评估建议
This skill appears to implement the rebalancer it claims, but there are important mismatches and sensitive requirements you should address before installing:
- Confirm metadata vs SKILL.md: the registry lists no required env vars and 'instruction-only', but SKILL.md and the package require many env vars and include Node code. Ask the publisher to correct the manifest to list required envs and the primary credential.
- Protect private keys: the skill asks for an EXECUTOR_WALLET_PRIVATE_KEY. Never...详细分析 ▾
⚠ 用途与能力
Name/description match the included code (balancer, executor, policies, ABIs) and the SKILL.md. However the registry metadata declared 'Required env vars: none' and 'instruction-only', while the SKILL.md explicitly lists multiple required environment variables (SAFE_ADDRESS, CHAIN_ID, TOT_API_KEY, RPC_URL, EXECUTOR_MODULE_ADDRESS, EXECUTOR_WALLET_PRIVATE_KEY, etc.) and the repo includes full source and ABI files. That mismatch (metadata says no envs / instruction-only; package contains code and demands sensitive envs) is disproportionate and unexplained.
ℹ 指令范围
SKILL.md provides concrete CLI and execution steps (npm run cli commands, how to build approvals, decode/encode calldata, checkPoliciesVerbose, require scheduler==registry, etc.). The instructions are narrowly scoped to on-chain reads and executing rebalance batches, which is coherent with the stated purpose. However instructions require providing an executor private key for signing transactions, and recommend running npm scripts which will execute bundled code — both are legitimate for this use but increase risk and should be handled securely.
ℹ 安装机制
No installer spec in registry (instruction-only), but the skill bundle actually contains Node.js source, dist files, package.json and a package-lock. SKILL.md tells users to run 'npm install' and 'npm run build'. This is a moderate-risk pattern: installing npm deps executes third-party code and scripts. There are no external download URLs or extract steps, but running npm build/cli will execute the shipped code on the host.
⚠ 凭证需求
SKILL.md legitimately requires RPC_URL, CHAIN_ID, TOT_API_KEY, SAFE_ADDRESS, EXECUTOR_MODULE_ADDRESS and an executor private key for signing on-chain transactions. Those variables are appropriate for a rebalancer. The problem: the skill metadata did not declare any required env vars or primary credential. A skill that needs an executor private key should declare that as its primary credential so users know up-front. Requiring a private key is sensitive; ensure it's an executor-only key with limited permissions and not the Safe owner key. No unrelated credentials are requested.
✓ 持久化与权限
The skill does not request 'always: true', does not claim to modify other skills or system-wide configs, and follows the normal autonomous-invocation defaults. No additional persistence or elevated platform privileges are requested in the manifest.
⚠ dist/tests/rebalance.test.js:325
Environment variable access combined with network send.
⚠ tests/rebalance.test.ts:351
Environment variable access combined with network send.
安全有层次,运行前请审查代码。
运行时依赖
无特殊依赖
版本
latestv0.2.02026/2/13
NULL
● 无害
安装命令
点击复制官方npx clawhub@latest install 31third-safe-rebalancer
镜像加速npx clawhub@latest install 31third-safe-rebalancer --registry https://cn.longxiaskill.com