← 返回 Skills 市场
庄家异动探测器
作者
xqw1377-prog
· GitHub ↗
· v9.9.9
339
总下载
0
收藏
0
当前安装
1
版本数
在 OpenClaw 中安装
/install poly-hunter-one
功能描述
实时监控 Polymarket 大额资金异动,分析庄家持仓和胜率,支持 SkillPay 0.01U 加密支付回调。
安全使用建议
Key issues to consider before installing:
- There is a hardcoded SkillPay API key in main.py. By default, payments created by this skill will go to the account that owns that key. If you install this skill, replace SKILLPAY_API_KEY with your own SkillPay key (set it in environment) and verify SKILLPAY_API_BASE if you want payments to route to your account. Do not rely on the embedded key.
- The skill manifest does not declare the SKILLPAY_API_KEY requirement despite the code depending on it. That mismatch is a red flag and means the author did not follow least-privilege/clear-declaration practices.
- The service exposes an HTTP /invoke endpoint with very permissive CORS (wildcard origins). Run it in an isolated network environment if possible and avoid exposing it to untrusted networks.
- The code only networks to polymarket (clob.polymarket.com) and SkillPay endpoints — there is no other obvious exfiltration. Still, because payments are routed externally, verify the SkillPay account destination before sending funds.
- If you want to use this skill safely: a) set SKILLPAY_API_KEY and SKILLPAY_API_BASE to your own values in a secure environment variable store, b) audit the key in main.py and remove or rotate it, c) run the service behind an authenticated proxy or in a sandbox, and d) consider contacting the author to request that credentials not be hardcoded and be declared in the manifest.
If you cannot or will not supply your own SkillPay credentials and cannot verify the embedded key, do not install or invoke the skill because micro-payments will be directed to an account you do not control.
功能分析
Type: OpenClaw Skill
Name: poly-hunter-one
Version: 9.9.9
The skill contains a hardcoded API secret (SKILLPAY_API_KEY) and overly permissive CORS settings in main.py, which are significant security vulnerabilities. While the logic aligns with the stated purpose of monitoring Polymarket data via a payment gateway (api.skillpay.me), the inclusion of sensitive credentials and the use of a blocking polling loop in the /invoke endpoint present operational and security risks.
能力评估
Purpose & Capability
The name/description (monitor Polymarket movers, charge 0.01U via SkillPay) aligns with the code which queries Polymarket endpoints and creates SkillPay charges. However the skill does not declare the SKILLPAY_API_KEY in its manifest/requirements even though the code depends on it — instead a long hardcoded default API key is present in main.py. Embedding a payment API key in code and failing to declare required credentials is inconsistent and risky.
Instruction Scope
SKILL.md is short and stays on-topic (FastAPI deployment, payment callback). The runtime code only performs network calls to Polymarket and SkillPay and exposes a /invoke endpoint; it does not attempt to read unrelated files or environment state. Still, SKILL.md does not mention the required SkillPay credential or the default hardcoded key present in the code.
Install Mechanism
No installer downloads arbitrary code; requirements.txt lists standard packages (fastapi, uvicorn, requests, pydantic). The skill is instruction + included source files (no remote installers), so install risk is low.
Credentials
The code expects SKILLPAY_API_KEY and SKILLPAY_API_BASE but the skill metadata lists no required env vars or primary credential. Worse: main.py contains a long hardcoded SKILLPAY_API_KEY default, meaning payments will be created against the embedded key unless the operator overrides it. This is disproportionate and unexplained for a user-installed skill — it effectively routes micro-payments to whoever controls that key.
Persistence & Privilege
The skill does not request always:true and does not modify other skills or system-wide settings. It exposes an HTTP API and enables permissive CORS (allow_origins and allow_origin_regex wildcard), which increases exposure but is not special platform privilege.
如何使用
- 确保已安装 OpenClaw(本地或 Docker 部署)
- 在对话框中输入安装命令:
/install poly-hunter-one - 安装完成后,直接呼叫该 Skill 的名称或使用
/poly-hunter-one触发 - 根据 Skill 的参数说明提供必要输入,即可获得结构化输出
版本历史
v9.9.9
PolyHunter Skill 9.9.9 introduces real-time whale activity detection for Polymarket.
- Real-time monitoring of large fund movements on Polymarket.
- Automated analysis of whale position changes and win rate distribution.
- Integrated SkillPay payment gateway (0.01U threshold) to access intelligence.
- FastAPI-based deployment supports concurrent API calls and crypto payment callbacks.
- Driven by proprietary "星爷选股" logic for accurate Web3 market insights.
元数据
常见问题
庄家异动探测器 是什么?
实时监控 Polymarket 大额资金异动,分析庄家持仓和胜率,支持 SkillPay 0.01U 加密支付回调。 它是一个面向 Claude Code / OpenClaw 的 AI Agent Skill 插件,目前累计下载 339 次。
如何安装 庄家异动探测器?
在 OpenClaw 或 Claude Code 对话框中运行命令「/install poly-hunter-one」即可一键安装,无需额外配置。
庄家异动探测器 是免费的吗?
是的,庄家异动探测器 完全免费(开源免费),可自由下载、安装和使用。
庄家异动探测器 支持哪些平台?
庄家异动探测器 跨平台运行,可在任意部署了 OpenClaw / Claude Code 的环境中使用(cross-platform)。
谁开发了 庄家异动探测器?
由 xqw1377-prog(@xqw1377-prog)开发并维护,当前版本 v9.9.9。
推荐 Skills