by 安全扫描
OpenClaw
可疑
high confidenceNULL
评估建议
This skill is inconsistent: its description promises multi-exchange/wallet aggregation and a report script, but the included scripts are simple local tools (a static portfolio tracker hitting CoinGecko and an alert writer) and a generate_report.js referenced in the docs is missing. Before installing or running: 1) Inspect scripts yourself (you already have them) — they do not exfiltrate data or contact unknown endpoints; track_portfolio.js only queries api.coingecko.com. 2) Do not paste real API...详细分析 ▾
⚠ 用途与能力
The name/description promise multi-platform portfolio aggregation (Binance, Coinbase, wallet tracking), real-time updates, alerts, and report generation. The included code does not implement those integrations: track_portfolio.js uses a hard-coded PORTFOLIO constant and only queries CoinGecko; it does not read references/config.json, does not call exchange or blockchain explorer APIs, and does not accept wallet addresses. SKILL.md also documents a generate_report.js command that is not present. These mismatches mean the skill does not deliver the claimed capabilities and may mislead users about what data it needs.
⚠ 指令范围
SKILL.md instructs users to configure references/config.json (which contains API key placeholders) and to run scripts including generate_report.js (missing). However, the runnable scripts do not read or use that config.json (track_portfolio uses an internal PORTFOLIO) and set_alert writes to references/alerts.json. The instructions are therefore out-of-sync with the actual runtime behavior, granting the agent vague authority ('use when you need to monitor wallets/exchanges') that the code does not exercise.
✓ 安装机制
No install spec and no external downloads — instruction-only plus two small JS scripts. No archives, no third-party package installs, and no unusual install behavior identified.
ℹ 凭证需求
The skill requires no environment variables and no primary credential. references/config.json contains placeholders for exchange API keys and Telegram SMTP settings (empty by default). That by itself is not malicious, but because the README suggests exchange/wallet integration while the code doesn't use those keys, a user could be misled into supplying sensitive keys later (or in a future version of the skill).
✓ 持久化与权限
The skill does not request elevated or persistent platform privileges (always:false). It will create/write references/alerts.json when set_alert.js runs, which is normal for a local alerts store.
安全有层次,运行前请审查代码。
运行时依赖
无特殊依赖
版本
latestv1.0.02026/3/18
NULL
● 无害
安装命令
点击复制官方npx clawhub@latest install crypto-portfolio-tracker-pro
镜像加速npx clawhub@latest install crypto-portfolio-tracker-pro --registry https://cn.longxiaskill.com