by 安全扫描
OpenClaw
安全
high confidenceThe skill's code, instructions, and dependencies are consistent with a tool that discovers and prepares Api3 feed activation/funding workflows (it prepares data and transaction payloads but does not appear to exfiltrate secrets or secretly broadcast transactions).
评估建议
This skill appears coherent with its stated purpose: it discovers Api3 feeds, inspects on-chain and market state, and prepares activation/top-up plans. It does not itself declare or require credentials, but meaningful activation requires a wallet and signing capability — the skill prepares transaction inputs rather than secretly broadcasting them. Before installing, verify you trust any agent or other skill that will provide wallet access or private keys, and confirm your runtime will only grant...详细分析 ▾
✓ 用途与能力
Name/description match the included code and docs: the package uses @api3 contracts, dapi-management, and ethers to discover feeds, read on-chain state, compute proxies, and prepare activation/top-up plans. The network endpoints (market.api3.org and a GitHub-hosted pricing JSON) and contract packages are proportionate to the stated goal.
ℹ 指令范围
SKILL.md confines the agent to discovery, status checks, runway estimates, and preparing execution instructions; it explicitly recommends permissionless paths and states when execution isn't possible. It asks the agent to gather 'wallet/funder available to the agent' and whether execution is allowed, but does not itself prescribe reading private keys or specific env vars — this is reasonable, but leaves the method for transaction signing/broadcasting unspecified. The README states it does not broadcast transactions; the code appears to prepare calls and read data rather than sending signed txs.
✓ 安装机制
There is no install spec (instruction-only skill), which minimizes installer risk. The bundle includes code and a package.json with legitimate dependencies necessary for Ethereum interactions (@api3 packages, ethers). Running the included scripts requires a Node environment and the listed dependencies; that is expected for this skill's function.
ℹ 凭证需求
The skill declares no required env vars or credentials. That aligns with its model of preparing transactions and requiring an external wallet to execute. However, practical activation/top-up flows will require a wallet and signing authority held by the agent or another skill — the skill does not request or document how private keys should be supplied. Users should ensure any wallet access provided to an agent is intentional and limited to the actions they approve.
✓ 持久化与权限
The skill does not request permanent/always-on inclusion and does not modify other skills or global agent configuration. Default autonomy (disable-model-invocation false) is normal for skills and acceptable here given the limited scope.
安全有层次,运行前请审查代码。
运行时依赖
无特殊依赖
安装命令
点击复制官方npx clawhub@latest install api3-feed-manager
镜像加速npx clawhub@latest install api3-feed-manager --registry https://cn.longxiaskill.com 镜像可用
本土化适配说明
Api3 Feed Manager — 技能工具 安装说明: 安装命令:["openclaw skills install api3-feed-manager","npx clawhub@latest install api3-feed-manager"]