Hyperscaled Funded 账户
v1.0.2Interact with the Hyperscaled funded trading 平台. Use when the 用户 wants to check their trading 账户, view positions/orders, submit or cancel trades...
0· 111·0 当前·0 累计
by 安全扫描
OpenClaw
可疑
medium confidenceThe skill's purpose (interacting with a funded trading account) matches the instructions, but it asks or enables actions that could expose secrets (private keys), and it encourages installing an unvetted pip package — these mismatches warrant caution.
评估建议
This skill appears to be what it claims (a CLI/SDK for Hyperscaled funded accounts) but has a few practical risks you should consider before installing or using it:
- Do not paste your private keys or other long-lived secrets into chat. Several commands accept a --private-key flag; prefer local signing, hardware wallets, or ephemeral keys. The agent can run Bash/Read, so avoid giving secrets in prompts.
- The SKILL.md tells you to run `pip install hyperscaled`. Verify the package's provenance (...详细分析 ▾
✓ 用途与能力
Name and description match the instructions: the SKILL.md documents a CLI and SDK for managing Hyperscaled-funded trading accounts and trading actions. No unrelated services or credentials are requested in metadata.
⚠ 指令范围
The runtime instructions instruct the agent to install and run a third-party CLI (pip install hyperscaled) and to run many CLI commands. Several commands accept sensitive inputs (e.g., --private-key 0x...), and the skill allows tools such as Bash and Read, which would permit reading local files/configs. The skill does not declare any config paths or environment variables despite referring to saved configuration and private-key flags; that creates a risk that the agent could be used (or misuse prompts could lead it) to exfiltrate secrets or read local config files.
ℹ 安装机制
The skill is instruction-only (no install spec), but tells the agent to run `pip install hyperscaled`. Installing an unvetted PyPI package can execute arbitrary code during installation and is a moderate risk. The skill doesn't point to a vetted release repo or homepage to verify the package source.
⚠ 凭证需求
No environment variables are required by the skill metadata, yet the CLI supports passing private keys and saving wallet addresses to local config. Requesting or handling private keys is high-privilege and should be explicitly justified and declared; the absence of declared secrets while the instructions reference secret-bearing flags is disproportionate.
ℹ 持久化与权限
The skill does not request 'always' presence and does not declare system-wide modifications. It does instruct saving a wallet to the CLI config (local modification), which is normal for a CLI, but combined with the ability to run Bash/Read this could alter local config files — users should be aware of local state changes.
安全有层次,运行前请审查代码。
运行时依赖
无特殊依赖
版本
latestv1.0.22026/3/26
- Updated SKILL.md to clarify and expand outputs for account, risk, and leverage monitoring. - "Account info" command now explicitly lists intraday & EOD drawdown, account type, and leverages. - Added guidance to highlight risk warnings: drawdown approaching limits and leverage near cap, making distinction between "challenge" and "funded" accounts (challenge = 1/4 leverage cap). - Adjusted output formatting and risk warnings accordingly. - No functional logic changes, only improvements in documentation and user guidance. - Renamed SKILL.md to uppercase for consistency; removed old skill.md.
● 无害
安装命令
点击复制官方npx clawhub@latest install funded-account
镜像加速npx clawhub@latest install funded-account --registry https://cn.longxiaskill.com 镜像可用