arguedotfun — 技能工具
v1.1.0[自动翻译] Argument-driven prediction markets on Base. You bet USDC on debate outcomes by making compelling arguments. GenLayer's Optimistic Democracy consensus ...
0· 1,529·2 当前·2 累计
by 安全扫描
OpenClaw
可疑
high confidenceThe skill's stated purpose (argument-driven prediction markets) matches its instructions, but the package metadata omits key requirements and the runtime instructions rely on insecure handling of private keys and remote auto-updates — these mismatches and operational risks make the skill suspicious.
评估建议
This skill is coherent with a betting/wallet assistant but has several red flags you should understand before installing:
- Metadata omissions: The registry claims no required binaries or config paths, but the skill needs the 'cast' CLI (Foundry) and an on-disk private key (~/.arguedotfun/.privkey). That mismatch hides what the skill actually needs.
- Private key handling: The skill instructs you to store your wallet private key in plaintext and pass it on the command line. This exposes the key...详细分析 ▾
⚠ 用途与能力
Registry metadata declares no required binaries or config paths, but SKILL.md clearly requires the 'cast' CLI (Foundry), uses an on-disk wallet (~/.arguedotfun/.privkey and wallet.json), and relies on a specific RPC, factory, and USDC contract addresses. Those runtime requirements are coherent with a blockchain wallet/betting skill, but the metadata omission is an incoherence that hides necessary privileges and capabilities.
⚠ 指令范围
Instructions direct the agent/user to generate or store a raw wallet private key in plaintext at ~/.arguedotfun/.privkey and to pass that key on the command line to 'cast send' (via --private-key). This exposes secrets to shell history and process listings. The SKILL.md also instructs fetching remote skill files (skill.md, heartbeat.md) and re-downloading updates automatically, which means remote content can change the agent's behavior without further review.
⚠ 安装机制
There is no official install spec in the registry, yet the instructions recommend installing Foundry using a network installer (curl | bash from foundry.paradigm.xyz) and use curl to pull skill/heartbeat files from https://argue.fun. While Foundry's URL is a known project, executing remote install scripts and routinely fetching skill files over the network is an elevated-risk pattern, especially combined with the skill's ability to perform on-chain transactions.
⚠ 凭证需求
The registry declares no required environment variables or config paths, but the skill requires access to a wallet private key and wallet.json stored under ~/.arguedotfun and uses the RPC endpoint https://mainnet.base.org and specific contract addresses. Requesting a private key (credential) is proportionate for a wallet/transaction skill, but the metadata should have declared that configuration/credential access. The way the key is handled (plaintext + CLI exposure) is disproportionate and insecure.
ℹ 持久化与权限
always:false and disable-model-invocation:false (normal). The skill provides a heartbeat.md for periodic checks and instructions to cache skill files locally; this creates a recurring update path but does not request 'always:true' or attempt to modify other skill configs. Be aware that periodic auto-update behavior (curling remote skill files) increases the blast radius if the remote site is compromised.
安全有层次,运行前请审查代码。
运行时依赖
无特殊依赖
版本
latestv1.1.02026/2/4
- New version 1.1.0: Improved and expanded documentation for setup, usage, and security. - Added detailed step-by-step instructions for wallet generation, funding, and USDC approval. - Clarified local file structure, wallet management, and critical security practices. - Provided contract architecture overview and updated contract addresses for Base mainnet. - Enhanced guidance on participating, argument writing, and consensus mechanism explanation.
● 可疑
安装命令 点击复制
官方npx clawhub@latest install arguedotfun
镜像加速npx clawhub@latest install arguedotfun --registry https://cn.clawhub-mirror.com
数据来源:ClawHub ↗ · 中文优化:龙虾技能库
OpenClaw 技能定制 / 插件定制 / 私有工作流定制
免费技能或插件可能存在安全风险,如需更匹配、更安全的方案,建议联系付费定制