← 返回 Skills 市场
tinkle-community

NOFX AI Trading

作者 tinkle-community · GitHub ↗ · v1.1.0
cross-platform ⚠ suspicious
1172
总下载
0
收藏
5
当前安装
2
版本数
在 OpenClaw 中安装
/install nofx
功能描述
NOFX AI Trading OS integration - crypto market data, AI trading signals, strategy management, trader control, and automated reporting. Use when working with...
安全使用建议
What to consider before installing: - This package expects and uses an API key (NOFX_API_KEY) and a config file (default: ~/clawd/skills/nofx/config.json) but the registry metadata does not declare those requirements — do not assume keys are optional. Provide only least-privilege exchange keys (disable withdrawals, restrict permissions and IP whitelist). - The skill’s browser automation expects a profile named 'clawd' (logged-in session). Granting the agent/browser access to a profile can expose other site sessions/cookies; only use a dedicated, isolated browser profile and don't reuse your personal browser profile. - The scripts call external endpoints at nofxos.ai and include examples to post to Telegram/Discord/Slack. Confirm you trust those endpoints and any webhook URLs you configure. - The docs show running remote install scripts via curl|bash from GitHub raw — review those scripts before executing; avoid blind 'curl | bash'. - The shipped shell scripts depend on curl and jq but the metadata does not list required binaries; ensure you inspect and run scripts locally in an isolated environment before allowing the agent to run them. - If you proceed: review config.json and scripts manually, store API keys in a secure secret store (or environment variables with least privilege), use test/demo exchange keys first, and be prepared to rotate/revoke keys if anything suspicious occurs. - If you want a safer assessment, provide the install.sh referenced by the docs or confirm whether the agent will be given access to your browser profile or filesystem; that information would change the risk assessment.
功能分析
Type: OpenClaw Skill Name: nofx Version: 1.1.0 The skill is classified as suspicious due to significant vulnerabilities, specifically the risk of shell injection and API key exposure. The `scripts/nofx-api.sh` script directly embeds unsanitized arguments (e.g., `symbol`, `limit`, `duration`) into `curl` commands, creating a potential remote code execution (RCE) vulnerability if an attacker can control these inputs. Additionally, the script passes the API key as a URL query parameter (`?auth=$API_KEY`), which is less secure than using an Authorization header and increases the risk of the key being logged or exposed. While the skill's stated purpose is legitimate and there's no evidence of intentional malice, these critical vulnerabilities warrant a 'suspicious' classification.
能力评估
Purpose & Capability
The name/description (AI trading, strategy management, browser automation) align with the included docs and scripts: API calls to nofxos.ai, browser automation guidance, strategy schemas, and trader control are present and coherent. However, the skill metadata declares no required env vars / config paths / binaries while the shipped scripts and SKILL.md expect a local config file, an API key, and a browser profile — a proportionality/documentation mismatch.
Instruction Scope
Runtime instructions and reference docs instruct the agent to: (1) read a local workspace config (skills/nofx/config.json or $HOME/clawd/skills/nofx/config.json) containing API keys, (2) use a browser profile named 'clawd' for automation (implying access to logged-in sessions/cookies), and (3) send notifications via external channels (Telegram/Discord/Slack) — these actions access sensitive local secrets and session data and are not limited to just calling the NOFX API. The SKILL.md and references also include 'curl | bash' install examples (downloading and executing remote scripts) and broad guidance such as 'use browser tool with profile: clawd' which could enable reading other web sessions if misused.
Install Mechanism
There is no formal install spec (instruction-only), so nothing is automatically written by the platform. The documentation includes commands that fetch and run scripts from raw GitHub URLs (curl -fsSL https://raw.githubusercontent.com/NoFxAiOS/nofx/main/install.sh | bash) and downloads docker-compose YAML from GitHub — common for open-source projects but higher risk if you blindly execute remote install scripts without review.
Credentials
Although registry metadata lists no required env vars or config paths, the shipped scripts and docs clearly expect: NOFX_API_KEY (or a config.json with api_key), NOFX_CONFIG (optional override), and a browser_profile (clawd). The scripts use curl and jq (external binaries) but these are not declared. The skill therefore expects access to sensitive credentials and a browser profile even though it does not declare them — this is a notable mismatch and a potential exfiltration vector if the agent/browser tool has broad access.
Persistence & Privilege
The skill is not always-included and does not request elevated platform privileges. It does not claim to modify other skills or system-wide settings. Autonomous invocation is enabled (platform default), which increases blast radius if the skill is granted secrets; that combination with the other concerns is why caution is recommended.
如何使用
  1. 确保已安装 OpenClaw(本地或 Docker 部署)
  2. 在对话框中输入安装命令:/install nofx
  3. 安装完成后,直接呼叫该 Skill 的名称或使用 /nofx 触发
  4. 根据 Skill 的参数说明提供必要输入,即可获得结构化输出
版本历史
v1.1.0
Internationalized: all content translated to English
v1.0.0
Initial release: Complete NOFX AI Trading OS integration
元数据
Slug nofx
版本 1.1.0
许可证
累计安装 5
当前安装数 5
历史版本数 2
常见问题

NOFX AI Trading 是什么?

NOFX AI Trading OS integration - crypto market data, AI trading signals, strategy management, trader control, and automated reporting. Use when working with... 它是一个面向 Claude Code / OpenClaw 的 AI Agent Skill 插件,目前累计下载 1172 次。

如何安装 NOFX AI Trading?

在 OpenClaw 或 Claude Code 对话框中运行命令「/install nofx」即可一键安装,无需额外配置。

NOFX AI Trading 是免费的吗?

是的,NOFX AI Trading 完全免费(开源免费),可自由下载、安装和使用。

NOFX AI Trading 支持哪些平台?

NOFX AI Trading 跨平台运行,可在任意部署了 OpenClaw / Claude Code 的环境中使用(cross-platform)。

谁开发了 NOFX AI Trading?

由 tinkle-community(@tinkle-community)开发并维护,当前版本 v1.1.0。

推荐 Skills
self-improving agent
Captures learnings, errors, and corrections to enable continuous improvement. Use when: (1) A command or operation fails unexpectedly, (2) User corrects Clau...
⬇ 463283 · by pskoett
Skill Vetter
Security-first skill vetting for AI agents. Use before installing any skill from ClawdHub, GitHub, or other sources. Checks for red flags, permission scope, and suspicious patterns.
⬇ 259410 · by spclaudehome
Polymarket
Query Polymarket prediction markets. Check odds, find trending markets, search events, track price movements.
⬇ 232503 · by joelchance
Self-Improving + Proactive Agent
Self-reflection + Self-criticism + Self-learning + Self-organizing memory. Agent evaluates its own work, catches mistakes, and improves permanently. Use when...
⬇ 200423 · by ivangdavila
Github
Interact with GitHub using the `gh` CLI. Use `gh issue`, `gh pr`, `gh run`, and `gh api` for issues, PRs, CI runs, and advanced queries.
⬇ 191113 · by steipete
ontology
Typed knowledge graph for structured agent memory and composable skills. Use when creating/querying entities (Person, Project, Task, Event, Document), linkin...
⬇ 190156 · by oswalpalash

💬 留言讨论