← 返回 Skills 市场

Opinion Skill

Name: Opinion Skill
Author: yuandiaodiaodiao

作者 a · GitHub ↗ · v0.1.1

cross-platform ⚠ suspicious

454

总下载

当前安装

版本数

在 OpenClaw 中安装

/install opinion-skill

功能描述

基于 bun 运行时的 Opinion 预测市场工具集，支持市场查询、订单簿查看及基于多签钱包的链上交易操作。

安全使用建议

What to consider before installing: - The code implements exactly the described market queries and trading operations, but the registry metadata omitted important runtime requirements: you will need bun and (for trading) PRIVATE_KEY, MULTI_SIG_ADDRESS, and API_KEY. Treat these as highly sensitive. - Do not put your main wallet private key into .env on a system you do not fully trust. If you want to test, create a dedicated low‑value wallet/safe with limited funds and use that instead. - The scripts call two different external APIs: https://openapi.opinion.trade and http://newopinion.predictscanapi.xyz:10001. The latter is an HTTP (not HTTPS) host and is not obviously the official domain — this could expose query data (addresses, asset IDs) in transit and to the remote operator. Verify and prefer official HTTPS endpoints before sending sensitive queries. - The SKILL.md recommends installing bun via a remote installer (curl | bash). Prefer to install known runtime packages from trusted sources or use an isolated environment (container/VM) when running these scripts. - Because package.json lists dependencies, run 'bun install' only after you review package.json and the GitHub repo. Consider auditing @opinion-labs/opinion-clob-sdk version and the repo contents locally before providing any credentials. - Operational advice: run the code in an isolated environment (container or throwaway VM), inspect/verify the GitHub repo yourself, and use a test wallet. If you plan to allow autonomous agent actions, disable autonomous invocation or withhold PRIVATE_KEY until you are confident in the code and endpoints. If you want, I can: (1) list the exact locations in the code that read/write env vars and make external network calls, (2) fetch and show the GitHub repo README and commit history to help with provenance, or (3) suggest steps to run the scripts safely in a container and create a limited test wallet.

功能分析

Type: OpenClaw Skill Name: opinion-skill Version: 0.1.1 The skill is classified as suspicious primarily due to the `SKILL.md` instructions for installing `bun`. It uses `curl -fsSL https://bun.sh/install | bash`, which is a high-risk supply chain vulnerability as it executes arbitrary remote code without prior inspection. While the core functionality of the skill (trading on a prediction market) appears legitimate and all network calls are directed to expected endpoints (`http://newopinion.predictscanapi.xyz:10001`, `https://openapi.opinion.trade/openapi`), the installation method introduces a significant security risk. The skill also handles sensitive user-provided credentials (`PRIVATE_KEY`, `MULTI_SIG_ADDRESS`, `API_KEY`) for blockchain transactions, which, while necessary for its function, underscores the importance of the initial installation's integrity.

能力评估

⚠ Purpose & Capability

The skill claims an Opinion prediction‑market toolset and the scripts implement market queries and chain trades. However the registry metadata lists no required environment variables or binaries while the code and SKILL.md clearly require the bun runtime and environment variables (PRIVATE_KEY, MULTI_SIG_ADDRESS, API_KEY) for trading. That mismatch between declared requirements and actual needs is incoherent.

⚠ Instruction Scope

SKILL.md and the scripts stay within the described domain (market queries, caching, and trading) and explicitly avoid running trade scripts unless .env is configured. However the scripts make network calls to multiple external endpoints: an HTTPS openapi.opinion.trade host and an HTTP host (http://newopinion.predictscanapi.xyz:10001). Queries include user addresses and asset IDs (e.g., positions queries) which will be sent to those remote services. Using a non‑official/HTTP endpoint increases the risk that sensitive request context or probe activity could be observed or collected by a third party.

⚠ Install Mechanism

There is no formal install spec in the registry; SKILL.md instructs cloning from GitHub and running 'bun install' / using bun. It also suggests installing bun using 'curl https://bun.sh/install | bash' (a remote installer). While bun.sh is a known installer, instructing users to run a remote install script is higher risk than relying on preinstalled tooling. The package.json lists dependencies (@opinion-labs/opinion-clob-sdk, axios) so running bun install is necessary for trading scripts — this is not reflected in the registry metadata.

⚠ Credentials

Trading scripts legitimately require PRIVATE_KEY, MULTI_SIG_ADDRESS and API_KEY, and an RPC URL can be supplied. Those are sensitive secrets. The problem is the registry claims 'none' required; the primary credential is not declared. REQUESTING a user's private key is proportionate to performing on‑chain trades, but you must only provide such secrets to code you trust. Additionally, API requests are sent to a non‑standard HTTP host which could receive metadata about addresses/assetIds you query.

ℹ Persistence & Privilege

The skill is not always:true and does not request system‑wide configuration changes. It does create a cache under /root/opinionskills/scripts/.cache and assumes execution under /root/opinionskills, which implies root paths; that is a minor operational mismatch (it expects write access to /root). The skill can be invoked autonomously by the agent (platform default) — if you allow autonomous invocation and provide PRIVATE_KEY, the agent could perform transactions automatically. Combine that with the other concerns before granting credentials.

如何使用

确保已安装 OpenClaw（本地或 Docker 部署）
在对话框中输入安装命令：/install opinion-skill
安装完成后，直接呼叫该 Skill 的名称或使用 /opinion-skill 触发
根据 Skill 的参数说明提供必要输入，即可获得结构化输出

版本历史

v0.1.1

- Added new script: `scripts/trades.ts` for querying trade history by assetId. - Updated documentation in SKILL.md to: - Describe `trades.ts` usage and options. - List `trades` in the quick command reference and environment variable section. - No breaking changes; data-querying functions expanded.

v0.1.0

Initial public release of Opinion CLOB Skills — Bun runtime toolkit for trading on the Opinion prediction market. - Provides command-line scripts for market data queries (search, price, orderbook, markets, positions) that require no configuration. - Supports full trading operations (buy, sell, cancel, balances, enable-trading) when environment variables and dependencies are set up. - Detailed step-by-step instructions included for environment setup, API access, and typical trading workflows. - Clarifies environment variable requirements, script capabilities, error handling, and command usage. - Supports both data queries and CLOB trading on BSC using Gnosis Safe wallets.

元数据

Slug opinion-skill

版本 0.1.1

许可证 —

累计安装 0

当前安装数 0

历史版本数 2

常见问题

Opinion Skill 是什么？

基于 bun 运行时的 Opinion 预测市场工具集，支持市场查询、订单簿查看及基于多签钱包的链上交易操作。它是一个面向 Claude Code / OpenClaw 的 AI Agent Skill 插件，目前累计下载 454 次。

如何安装 Opinion Skill？

在 OpenClaw 或 Claude Code 对话框中运行命令「/install opinion-skill」即可一键安装，无需额外配置。

Opinion Skill 是免费的吗？

是的，Opinion Skill 完全免费（开源免费），可自由下载、安装和使用。

Opinion Skill 支持哪些平台？

Opinion Skill 跨平台运行，可在任意部署了 OpenClaw / Claude Code 的环境中使用（cross-platform）。

谁开发了 Opinion Skill？

由 a（@yuandiaodiaodiao）开发并维护，当前版本 v0.1.1。