📦 Avantis Skill — 百倍杠杆交易

v1.0.1

通过 Python SDK 直连钱包，在 Base 链 Avantis 平台执行多空杠杆交易，支持加密、外汇、大宗商品，最高 100 倍杠杆。

0· 1.4k·0 当前·0 累计

by @droppingbeans

自动化 API工具

下载技能包

最后更新

2026/4/22

安全扫描

VirusTotal

可疑

查看报告

OpenClaw

可疑

high confidence

NULL

评估建议

Do not run this skill or its scripts on any machine that holds real funds or private keys. Specific concerns: (1) The repo contains a hardcoded private key literal in multiple scripts — treat that as compromised and dangerous. (2) Several scripts read a hard-coded absolute file path (/home/ubuntu/clawd/MAIN_WALLET.txt) to extract a private key, which means the skill will look for and use host-stored secrets without clear consent or declaration. Before using: verify the key(s) are not real (rotat...

详细分析 ▾

⚠ 用途与能力

Functionality (open/close trades, check positions) matches the description. However, the skill expects direct wallet private-key access yet declares no credentials or config requirements — instead the code either hardcodes a private key or reads /home/ubuntu/clawd/MAIN_WALLET.txt. Asking for raw private keys is expected for on-chain trading, but the way keys are provided (hardcoded in repo and/or read from an absolute host path) is disproportionate and unsafe.

⚠ 指令范围

SKILL.md instructs running the included Python scripts. The scripts access sensitive data outside the skill (reads /home/ubuntu/clawd/MAIN_WALLET.txt) and some files contain a hardcoded private key literal. The SKILL.md/README do not declare or warn that scripts will read host files, nor do they require or document secure secret handling — this scope creep (access to arbitrary local host files containing secrets) is dangerous and not properly declared.

✓ 安装机制

No install spec or remote downloads are present (instruction-only plus included Python scripts). Dependency on an external Python SDK (avantis-trader-sdk) is declared in documentation but not installed automatically. No suspicious external URLs or archive extraction were used by the skill itself.

⚠ 凭证需求

The package declares no required environment variables or primary credential, yet scripts require a private key. Worse, two scripts embed a literal private key string and several scripts read a specific file path (/home/ubuntu/clawd/MAIN_WALLET.txt) and extract a line. This is disproportionate and unsafe: secrets are present in the codebase and the skill will access host files without explicit, declared permissions or guidance for secure handling.

⚠ 持久化与权限

always is false and the skill is user-invocable, but autonomous invocation is allowed by default. Combined with embedded/read private keys, autonomous invocation increases the blast radius: an agent could run trades or move funds using the available keys. The skill does not request persistent platform-wide privileges, but its ability to act programmatically on a private key is a significant operational privilege.

安全有层次，运行前请审查代码。

运行时依赖

无特殊依赖

版本

latestv1.0.12026/2/5

NULL

● 可疑

安装命令

点击复制

官方npx clawhub@latest install avantis-skill

镜像加速npx clawhub@latest install avantis-skill --registry https://cn.longxiaskill.com

数据来源：ClawHub ↗ · 中文优化：龙虾技能库