← Back to Skills Marketplace

庄家异动探测器

Name: 庄家异动探测器
Author: xqw1377-prog

by xqw1377-prog · GitHub ↗ · v1.2.0

cross-platform ⚠ suspicious

343

Downloads

Stars

Active Installs

Versions

Install in OpenClaw

/install poly-hunter-pro

Description

实时监控Polymarket大额资金异动，分析庄家持仓变化和胜率分布，支持0.01U加密支付回调。

Usage Guidance

This skill does what it says (fetches Polymarket markets and charges a small payment to unlock data), but exercise caution before installing: - main.py contains a hardcoded SkillPay API key. If you run this as-is the embedded key may be used to receive payments. Do NOT install or run this skill unless you trust the publisher or you replace/remove the hardcoded key. - Confirm which SKILLPAY_API_KEY will be used at runtime; prefer to set your own SKILLPAY_API_KEY in the environment and audit the code to ensure it actually prefers env over the literal. Better: delete the default literal entirely and require the env variable. - Review the remainder of main.py (the file appears truncated in the package manifest) to ensure there are no additional endpoints, webhook handlers, or hidden behaviors that could leak data or accept remote calls. - The app enables permissive CORS (allow_origins=['*']); if you deploy publicly, restrict origins and secure any webhook endpoints. - If you do not trust the developer/publisher, request provenance (homepage, owner identity) or use an alternative implementation that does not embed credentials. What would change this assessment: if the hardcoded key is removed and the registry metadata is corrected so the required env var is consistent, the skill would be coherent and likely benign. Conversely, evidence that the embedded key is intentionally included to divert funds would raise the severity further.

Capability Analysis

Type: OpenClaw Skill Name: poly-hunter-pro Version: 1.2.0 The skill implements a Polymarket monitoring service with an integrated payment gateway, but it contains a hardcoded sensitive API key (SKILLPAY_API_KEY) and extremely permissive CORS configurations in main.py. While the code logic aligns with the stated purpose of tracking market movers, the inclusion of hardcoded credentials and lack of origin restrictions are significant security vulnerabilities that could lead to unauthorized use of the developer's payment account or cross-site attacks. External communications are limited to legitimate endpoints (clob.polymarket.com and api.skillpay.me).

Capability Assessment

ℹ Purpose & Capability

Name, SKILL.md, skill.yaml and code all implement Polymarket monitoring and an integrated SkillPay payment flow, which is coherent with the stated purpose. However, metadata in the registry summary (which listed no required env vars) conflicts with the included skill.yaml (which declares SKILLPAY_API_KEY required). That mismatch is unexpected and should be clarified.

⚠ Instruction Scope

SKILL.md instructs running a FastAPI service that handles payment callbacks and returns market movers. The code implements /invoke and outbound calls to Polymarket and SkillPay. The instructions are otherwise scoped to the described purpose, but the docs are light on webhook/callback security and the service enables permissive CORS (allow_origins=['*']), which increases exposure if deployed publicly.

✓ Install Mechanism

No installer or external downloads; this is an instruction+code skill with a small set of Python dependencies listed in requirements.txt. Nothing in the install mechanism appears disproportionate.

⚠ Credentials

skill.yaml correctly declares SKILLPAY_API_KEY as required (appropriate for a payment integration), but main.py contains a hardcoded SKILLPAY_API_KEY literal default value. This contradiction is risky: if a user does not override the environment variable, the embedded key will be used — meaning payments could be routed to the developer's SkillPay account without the user's clear consent. No other unrelated secrets are requested.

✓ Persistence & Privilege

The skill is not always-enabled, does not request elevated agent privileges, and does not attempt to modify other skills or system-wide configs. It only requires network access (declared in skill.yaml).

How to Use

Make sure OpenClaw is installed (local or Docker)
Run the install command in chat: /install poly-hunter-pro
After installation, invoke the skill by name or use /poly-hunter-pro
Provide required inputs per the skill's parameter spec and get structured output

Version History

v1.2.0

PolyHunter Pro 1.2.0 introduces automated whale monitoring and secure micro-payment integration: - Adds real-time tracking of large fund movements on Polymarket. - Analyzes whale position changes and win rate distributions automatically. - Integrates SkillPay with a 0.01U payment gate for access control. - Runs on FastAPI with concurrent API support and crypto payment callbacks. - Enhanced to provide actionable insights for Web3 investors.

Metadata

Slug poly-hunter-pro

Version 1.2.0

License —

All-time Installs 0

Active Installs 0

Total Versions 1

Frequently Asked Questions

What is 庄家异动探测器?

实时监控Polymarket大额资金异动，分析庄家持仓变化和胜率分布，支持0.01U加密支付回调。 It is an AI Agent Skill for Claude Code / OpenClaw, with 343 downloads so far.

How do I install 庄家异动探测器?

Run "/install poly-hunter-pro" in the OpenClaw or Claude Code chat to install it in one step — no extra setup required.

Is 庄家异动探测器 free?

Yes, 庄家异动探测器 is completely free (open-source). You can download, install and use it at no cost.

Which platforms does 庄家异动探测器 support?

庄家异动探测器 is cross-platform and runs anywhere OpenClaw / Claude Code is available (cross-platform).

Who created 庄家异动探测器?

It is built and maintained by xqw1377-prog (@xqw1377-prog); the current version is v1.2.0.

More Skills