by 安全扫描
OpenClaw
可疑
medium confidenceThe skill mostly matches a wallet+DeFi orchestration purpose but contains several incoherent or risky instructions (self-updating the SKILL.md, undeclared env vars, and implicit CLI install/update behaviors) that warrant review before installing.
评估建议
This skill appears to be a legitimate wallet + DeFi orchestration pack, but it includes risky behaviors you should consider before installing:
- Do not allow automatic in-place updates of skill files: the SKILL.md explicitly instructs the agent to curl a remote SKILL.md and overwrite the local file. That lets remote content change the agent's instructions without a human review. If you install, disable or audit that auto-update step and prefer pinned commit hashes or signed releases.
- Verify t...详细分析 ▾
ℹ 用途与能力
The package is presented as an Elytro wallet + DeFi skill pack and most required actions (installing an Elytro CLI and orchestrating calldata/UserOps) are coherent with that purpose. However, the repo and top-level metadata declare no install spec while elytro/SKILL.md includes an install via npm in its metadata — an internal mismatch. Also, some instructions ask for environment variables (ELYTRO_ENV, Pimlico key, RPC overrides) and behaviors (auto-updating the SKILL.md) that are not justified simply by 'wallet + planner' functionality.
⚠ 指令范围
The elytro skill mandates two auto-update actions every run: (1) check + apply CLI updates, and (2) fetch and overwrite the local SKILL.md from https://raw.githubusercontent.com/... and re-read it. Automatically overwriting the skill text at runtime expands the agent's trusted update surface and effectively allows remote modification of its runtime instructions. The skills also reference exporting env vars and other files (planner outputs, roster CSVs) that are not declared in the pack metadata. The instruction 'determine the absolute path of this SKILL.md file at runtime, then download and overwrite it' is particularly broad and risky.
ℹ 安装机制
There is no top-level install spec, but the elytro/SKILL.md metadata lists an npm install of @elytro/cli (Node >=24), which is an expected install method for a CLI. Downloading the SKILL.md from raw.githubusercontent.com is from a well-known host (lower risk than arbitrary hosting) but the practice of repeatedly overwriting local skill files from that remote URL is a high-risk install/update pattern because it changes agent instructions on-disk at runtime.
⚠ 凭证需求
The registry metadata declares no required environment variables, yet multiple SKILL.md files instruct the agent to export/use ELYTRO_ENV, Pimlico keys, RPC overrides, and to manage delegation/payments. Payroll and execution flows rely on access to on-chain accounts and possibly stored keys (via the CLI). These environment and credential mentions are not declared as required, creating a mismatch and lack of clarity about what secrets or config the skill expects.
⚠ 持久化与权限
The skill does not set always:true, but it instructs agents to auto-update the installed CLI and to overwrite its own SKILL.md from the network on every run. That gives the skill effective persistent modification capability over its runtime instructions and the agent's local skill files — a high-privilege behavior that should require explicit human approval or stronger verification (signing, pinned commit/hash).
安全有层次,运行前请审查代码。
运行时依赖
无特殊依赖
版本
latestv0.2.32026/3/3
No changes detected in this release. - Version bumped to 0.2.3 with no updates to files or documentation. - All workflows, documentation, and skill behaviors remain unchanged.
● 可疑
安装命令
点击复制官方npx clawhub@latest install elytro-wallet-cli-skill
镜像加速npx clawhub@latest install elytro-wallet-cli-skill --registry https://cn.longxiaskill.com