← Back to Skills Marketplace
mirra87654321

Funpay Assistant

by mirra87654321 · GitHub ↗ · v1.0.0
cross-platform ⚠ suspicious
653
Downloads
0
Stars
0
Active Installs
1
Versions
Install in OpenClaw
/install funpay-assistant
Description
Автоматически отвечает на вопросы и проблемы в чатах FunPay, уведомляет о входе в аккаунт и пересылает неопознанные сообщения владельцу.
README (SKILL.md)

FunPay Assistant Skill

Автоматизация ответов и мониторинг чатов FunPay.

Возможности

  • Автоматический ответ на проблемы с регионом (Chile/VPN).
  • Ответы на вопросы о наличии ("В наличии", "Ты тут?").
  • Уведомление в Telegram о согласии на вход в аккаунт.
  • Пересылка неопознанных сообщений владельцу.

Использование

Скрипт monitor.py проверяет новые сообщения и выполняет действия согласно логике.

Usage Guidance
Do not install/run this skill as-is. Key concerns: (1) monitor.py contains a hard-coded FunPay API key (GOLDEN_KEY) that is not declared in metadata — this exposes an account and gives the skill direct access to chats; (2) the bundle includes state.json with many real chat messages (sensitive data); (3) the description promises Telegram notifications but there is no Telegram integration or declared token, so functionality and data flows are unclear; (4) invisible/control characters were detected which can hide content. If you want to use a similar tool safely, ask the author to: remove the hard-coded key and require a documented environment variable (e.g., FUNPAY_API_KEY), scrub or omit any bundled chat logs, implement and document Telegram integration (and require TELEGRAM_BOT_TOKEN/CHAT_ID), publish installation steps and the FunPayAPI dependency, and explain exactly what data is sent externally. If you already ran this code using your environment, rotate any exposed FunPay credentials immediately and audit account activity. If the embedded key appears to belong to someone else, do not use it — contact the owner or treat the bundle as untrusted.
Capability Analysis
Type: OpenClaw Skill Name: funpay-assistant Version: 1.0.0 The skill is classified as suspicious due to a hardcoded API key (`GOLDEN_KEY` in `monitor.py`), which is a significant security vulnerability. Additionally, the `monitor.py` script automates a social engineering tactic by offering to log into a customer's account (`REGION_ERROR_REPLY`) and then implicitly exfiltrates all non-order-confirmation chat messages and customer agreements to account access (via `print` statements) to the owner, relying on the OpenClaw agent to forward these to an external channel like Telegram as stated in `SKILL.md`. While the data exfiltration is to the owner and for the stated purpose, the combination of a hardcoded secret and automation of risky social engineering tactics warrants a 'suspicious' classification.
Capability Assessment
Purpose & Capability
The description promises Telegram notifications and forwarding unknown messages to the owner, but the bundled code does not implement any Telegram API calls or require a Telegram token. Instead it contains a hard-coded FunPay API key (GOLDEN_KEY) and operates directly on chats; the skill declares no required credentials. That mismatch (claimed external notification vs actual local printing and an undisclosed API key) is incoherent.
Instruction Scope
SKILL.md simply says to run monitor.py; the script reads and writes state.json, uses a FunPay Account object with a hard-coded API key, sends replies via acc.send_message, and emits notification strings to stdout. The instructions do not document the embedded API key, the provenance of state.json (which contains many real chat messages), or how notifications reach the owner (no Telegram webhook or token). The bundle also contains a unicode/control-character artifact which may be used to hide or obfuscate content.
Install Mechanism
There is no install spec (instruction-only with bundled code). That lowers installer risk, but the code depends on an external module (FunPayAPI) with no declared install step. The lack of installation instructions means runtime behavior is unclear and may fail or cause the operator to add packages ad-hoc.
Credentials
The repository contains a clear secret (GOLDEN_KEY) hard-coded into monitor.py rather than declared as a required environment variable. The skill also bundles a state.json file containing many past chat messages (sensitive user data). The metadata declares no credentials while code includes a credential with broad access to FunPay chats — this is disproportionate and suspicious.
Persistence & Privilege
always:false (normal). The skill is invocable/autonomous by default (platform standard). Combined with the embedded API key and chat access, autonomous runs could access and reply to chats without further configuration, increasing blast radius; this combination is noteworthy though not sufficient alone to mark it malicious.
How to Use
  1. Make sure OpenClaw is installed (local or Docker)
  2. Run the install command in chat: /install funpay-assistant
  3. After installation, invoke the skill by name or use /funpay-assistant
  4. Provide required inputs per the skill's parameter spec and get structured output
Version History
v1.0.0
Initial release of FunPay Assistant Skill. - Автоматизация ответов на частые вопросы и проблемы (например, регион, VPN). - Уведомления в Telegram о попытках входа в аккаунт. - Пересылка неопознанных сообщений владельцу. - Запуск и использование через скрипт monitor.py.
Metadata
Slug funpay-assistant
Version 1.0.0
License
All-time Installs 0
Active Installs 0
Total Versions 1
Frequently Asked Questions

What is Funpay Assistant?

Автоматически отвечает на вопросы и проблемы в чатах FunPay, уведомляет о входе в аккаунт и пересылает неопознанные сообщения владельцу. It is an AI Agent Skill for Claude Code / OpenClaw, with 653 downloads so far.

How do I install Funpay Assistant?

Run "/install funpay-assistant" in the OpenClaw or Claude Code chat to install it in one step — no extra setup required.

Is Funpay Assistant free?

Yes, Funpay Assistant is completely free (open-source). You can download, install and use it at no cost.

Which platforms does Funpay Assistant support?

Funpay Assistant is cross-platform and runs anywhere OpenClaw / Claude Code is available (cross-platform).

Who created Funpay Assistant?

It is built and maintained by mirra87654321 (@mirra87654321); the current version is v1.0.0.

More Skills
self-improving agent
Captures learnings, errors, and corrections to enable continuous improvement. Use when: (1) A command or operation fails unexpectedly, (2) User corrects Clau...
⬇ 463283 · by pskoett
Skill Vetter
Security-first skill vetting for AI agents. Use before installing any skill from ClawdHub, GitHub, or other sources. Checks for red flags, permission scope, and suspicious patterns.
⬇ 259410 · by spclaudehome
Polymarket
Query Polymarket prediction markets. Check odds, find trending markets, search events, track price movements.
⬇ 232503 · by joelchance
Self-Improving + Proactive Agent
Self-reflection + Self-criticism + Self-learning + Self-organizing memory. Agent evaluates its own work, catches mistakes, and improves permanently. Use when...
⬇ 200423 · by ivangdavila
Github
Interact with GitHub using the `gh` CLI. Use `gh issue`, `gh pr`, `gh run`, and `gh api` for issues, PRs, CI runs, and advanced queries.
⬇ 191115 · by steipete
ontology
Typed knowledge graph for structured agent memory and composable skills. Use when creating/querying entities (Person, Project, Task, Event, Document), linkin...
⬇ 190156 · by oswalpalash

💬 Comments