Token Shark

实时监控新上线代币，提供多维风险评估、交易数据和价格提醒，助您把握投资机会。

This package appears to be a local/demo implementation (hard-coded sample tokens and a local alerts file) rather than a live, networked monitor despite README/SKILL.md claiming DEX/chain/social data. If you expect real-time monitoring, confirm with the author or the upstream repo before relying on it. The skill creates data/alerts.json under its directory — check file location and permissions if you run it on a shared machine. There are donation crypto addresses in README/package.json — treat them as public payment addresses (verify independently) and do not confuse them with any credential or trust signal. If future versions add real-time push or automatic trading (mentioned in roadmap), they will likely require network access and private keys; never provide private keys or wallet secrets to a skill. To proceed safely: (1) inspect the GitHub repo (link in README) to confirm sources and commits; (2) run the scripts in a sandbox/container to observe behavior; (3) verify whether a later release actually implements network calls and, if so, require that those calls use minimal, documented credentials and trustworthy endpoints.

Type: OpenClaw Skill Name: token-shark Version: 0.1.0 The skill bundle is a deceptive 'fake' utility that claims to provide real-time DEX token monitoring and risk assessment, but the implementation consists entirely of hardcoded mock data and lacks any networking logic (e.g., fetch, axios) to interact with blockchain APIs. It explicitly solicits cryptocurrency payments (USDT/USDC) to a specific address (0x33f943e71c7b7c4e88802a68e62cca91dab65ad9) to unlock 'unlimited queries' for functionality that does not exist in scripts like monitor.mjs, analyze.mjs, and risk.mjs. While it lacks traditional malware payloads like data exfiltration or RCE, its fraudulent nature and solicitation of funds for non-existent services warrant a suspicious classification.