← 返回 Skills 市场
Funpay Assistant
作者
mirra87654321
· GitHub ↗
· v1.0.0
653
总下载
0
收藏
0
当前安装
1
版本数
在 OpenClaw 中安装
/install funpay-assistant
功能描述
Автоматически отвечает на вопросы и проблемы в чатах FunPay, уведомляет о входе в аккаунт и пересылает неопознанные сообщения владельцу.
使用说明 (SKILL.md)
FunPay Assistant Skill
Автоматизация ответов и мониторинг чатов FunPay.
Возможности
- Автоматический ответ на проблемы с регионом (Chile/VPN).
- Ответы на вопросы о наличии ("В наличии", "Ты тут?").
- Уведомление в Telegram о согласии на вход в аккаунт.
- Пересылка неопознанных сообщений владельцу.
Использование
Скрипт monitor.py проверяет новые сообщения и выполняет действия согласно логике.
安全使用建议
Do not install/run this skill as-is. Key concerns: (1) monitor.py contains a hard-coded FunPay API key (GOLDEN_KEY) that is not declared in metadata — this exposes an account and gives the skill direct access to chats; (2) the bundle includes state.json with many real chat messages (sensitive data); (3) the description promises Telegram notifications but there is no Telegram integration or declared token, so functionality and data flows are unclear; (4) invisible/control characters were detected which can hide content. If you want to use a similar tool safely, ask the author to: remove the hard-coded key and require a documented environment variable (e.g., FUNPAY_API_KEY), scrub or omit any bundled chat logs, implement and document Telegram integration (and require TELEGRAM_BOT_TOKEN/CHAT_ID), publish installation steps and the FunPayAPI dependency, and explain exactly what data is sent externally. If you already ran this code using your environment, rotate any exposed FunPay credentials immediately and audit account activity. If the embedded key appears to belong to someone else, do not use it — contact the owner or treat the bundle as untrusted.
功能分析
Type: OpenClaw Skill
Name: funpay-assistant
Version: 1.0.0
The skill is classified as suspicious due to a hardcoded API key (`GOLDEN_KEY` in `monitor.py`), which is a significant security vulnerability. Additionally, the `monitor.py` script automates a social engineering tactic by offering to log into a customer's account (`REGION_ERROR_REPLY`) and then implicitly exfiltrates all non-order-confirmation chat messages and customer agreements to account access (via `print` statements) to the owner, relying on the OpenClaw agent to forward these to an external channel like Telegram as stated in `SKILL.md`. While the data exfiltration is to the owner and for the stated purpose, the combination of a hardcoded secret and automation of risky social engineering tactics warrants a 'suspicious' classification.
能力评估
Purpose & Capability
The description promises Telegram notifications and forwarding unknown messages to the owner, but the bundled code does not implement any Telegram API calls or require a Telegram token. Instead it contains a hard-coded FunPay API key (GOLDEN_KEY) and operates directly on chats; the skill declares no required credentials. That mismatch (claimed external notification vs actual local printing and an undisclosed API key) is incoherent.
Instruction Scope
SKILL.md simply says to run monitor.py; the script reads and writes state.json, uses a FunPay Account object with a hard-coded API key, sends replies via acc.send_message, and emits notification strings to stdout. The instructions do not document the embedded API key, the provenance of state.json (which contains many real chat messages), or how notifications reach the owner (no Telegram webhook or token). The bundle also contains a unicode/control-character artifact which may be used to hide or obfuscate content.
Install Mechanism
There is no install spec (instruction-only with bundled code). That lowers installer risk, but the code depends on an external module (FunPayAPI) with no declared install step. The lack of installation instructions means runtime behavior is unclear and may fail or cause the operator to add packages ad-hoc.
Credentials
The repository contains a clear secret (GOLDEN_KEY) hard-coded into monitor.py rather than declared as a required environment variable. The skill also bundles a state.json file containing many past chat messages (sensitive user data). The metadata declares no credentials while code includes a credential with broad access to FunPay chats — this is disproportionate and suspicious.
Persistence & Privilege
always:false (normal). The skill is invocable/autonomous by default (platform standard). Combined with the embedded API key and chat access, autonomous runs could access and reply to chats without further configuration, increasing blast radius; this combination is noteworthy though not sufficient alone to mark it malicious.
如何使用
- 确保已安装 OpenClaw(本地或 Docker 部署)
- 在对话框中输入安装命令:
/install funpay-assistant - 安装完成后,直接呼叫该 Skill 的名称或使用
/funpay-assistant触发 - 根据 Skill 的参数说明提供必要输入,即可获得结构化输出
版本历史
v1.0.0
Initial release of FunPay Assistant Skill.
- Автоматизация ответов на частые вопросы и проблемы (например, регион, VPN).
- Уведомления в Telegram о попытках входа в аккаунт.
- Пересылка неопознанных сообщений владельцу.
- Запуск и использование через скрипт monitor.py.
元数据
常见问题
Funpay Assistant 是什么?
Автоматически отвечает на вопросы и проблемы в чатах FunPay, уведомляет о входе в аккаунт и пересылает неопознанные сообщения владельцу. 它是一个面向 Claude Code / OpenClaw 的 AI Agent Skill 插件,目前累计下载 653 次。
如何安装 Funpay Assistant?
在 OpenClaw 或 Claude Code 对话框中运行命令「/install funpay-assistant」即可一键安装,无需额外配置。
Funpay Assistant 是免费的吗?
是的,Funpay Assistant 完全免费(开源免费),可自由下载、安装和使用。
Funpay Assistant 支持哪些平台?
Funpay Assistant 跨平台运行,可在任意部署了 OpenClaw / Claude Code 的环境中使用(cross-platform)。
谁开发了 Funpay Assistant?
由 mirra87654321(@mirra87654321)开发并维护,当前版本 v1.0.0。
推荐 Skills