← 返回 Skills 市场
庄家异动探测器
作者
xqw1377-prog
· GitHub ↗
· v1.2.0
343
总下载
0
收藏
0
当前安装
1
版本数
在 OpenClaw 中安装
/install poly-hunter-pro
功能描述
实时监控Polymarket大额资金异动,分析庄家持仓变化和胜率分布,支持0.01U加密支付回调。
安全使用建议
This skill does what it says (fetches Polymarket markets and charges a small payment to unlock data), but exercise caution before installing:
- main.py contains a hardcoded SkillPay API key. If you run this as-is the embedded key may be used to receive payments. Do NOT install or run this skill unless you trust the publisher or you replace/remove the hardcoded key.
- Confirm which SKILLPAY_API_KEY will be used at runtime; prefer to set your own SKILLPAY_API_KEY in the environment and audit the code to ensure it actually prefers env over the literal. Better: delete the default literal entirely and require the env variable.
- Review the remainder of main.py (the file appears truncated in the package manifest) to ensure there are no additional endpoints, webhook handlers, or hidden behaviors that could leak data or accept remote calls.
- The app enables permissive CORS (allow_origins=['*']); if you deploy publicly, restrict origins and secure any webhook endpoints.
- If you do not trust the developer/publisher, request provenance (homepage, owner identity) or use an alternative implementation that does not embed credentials.
What would change this assessment: if the hardcoded key is removed and the registry metadata is corrected so the required env var is consistent, the skill would be coherent and likely benign. Conversely, evidence that the embedded key is intentionally included to divert funds would raise the severity further.
功能分析
Type: OpenClaw Skill
Name: poly-hunter-pro
Version: 1.2.0
The skill implements a Polymarket monitoring service with an integrated payment gateway, but it contains a hardcoded sensitive API key (SKILLPAY_API_KEY) and extremely permissive CORS configurations in main.py. While the code logic aligns with the stated purpose of tracking market movers, the inclusion of hardcoded credentials and lack of origin restrictions are significant security vulnerabilities that could lead to unauthorized use of the developer's payment account or cross-site attacks. External communications are limited to legitimate endpoints (clob.polymarket.com and api.skillpay.me).
能力评估
Purpose & Capability
Name, SKILL.md, skill.yaml and code all implement Polymarket monitoring and an integrated SkillPay payment flow, which is coherent with the stated purpose. However, metadata in the registry summary (which listed no required env vars) conflicts with the included skill.yaml (which declares SKILLPAY_API_KEY required). That mismatch is unexpected and should be clarified.
Instruction Scope
SKILL.md instructs running a FastAPI service that handles payment callbacks and returns market movers. The code implements /invoke and outbound calls to Polymarket and SkillPay. The instructions are otherwise scoped to the described purpose, but the docs are light on webhook/callback security and the service enables permissive CORS (allow_origins=['*']), which increases exposure if deployed publicly.
Install Mechanism
No installer or external downloads; this is an instruction+code skill with a small set of Python dependencies listed in requirements.txt. Nothing in the install mechanism appears disproportionate.
Credentials
skill.yaml correctly declares SKILLPAY_API_KEY as required (appropriate for a payment integration), but main.py contains a hardcoded SKILLPAY_API_KEY literal default value. This contradiction is risky: if a user does not override the environment variable, the embedded key will be used — meaning payments could be routed to the developer's SkillPay account without the user's clear consent. No other unrelated secrets are requested.
Persistence & Privilege
The skill is not always-enabled, does not request elevated agent privileges, and does not attempt to modify other skills or system-wide configs. It only requires network access (declared in skill.yaml).
如何使用
- 确保已安装 OpenClaw(本地或 Docker 部署)
- 在对话框中输入安装命令:
/install poly-hunter-pro - 安装完成后,直接呼叫该 Skill 的名称或使用
/poly-hunter-pro触发 - 根据 Skill 的参数说明提供必要输入,即可获得结构化输出
版本历史
v1.2.0
PolyHunter Pro 1.2.0 introduces automated whale monitoring and secure micro-payment integration:
- Adds real-time tracking of large fund movements on Polymarket.
- Analyzes whale position changes and win rate distributions automatically.
- Integrates SkillPay with a 0.01U payment gate for access control.
- Runs on FastAPI with concurrent API support and crypto payment callbacks.
- Enhanced to provide actionable insights for Web3 investors.
元数据
常见问题
庄家异动探测器 是什么?
实时监控Polymarket大额资金异动,分析庄家持仓变化和胜率分布,支持0.01U加密支付回调。 它是一个面向 Claude Code / OpenClaw 的 AI Agent Skill 插件,目前累计下载 343 次。
如何安装 庄家异动探测器?
在 OpenClaw 或 Claude Code 对话框中运行命令「/install poly-hunter-pro」即可一键安装,无需额外配置。
庄家异动探测器 是免费的吗?
是的,庄家异动探测器 完全免费(开源免费),可自由下载、安装和使用。
庄家异动探测器 支持哪些平台?
庄家异动探测器 跨平台运行,可在任意部署了 OpenClaw / Claude Code 的环境中使用(cross-platform)。
谁开发了 庄家异动探测器?
由 xqw1377-prog(@xqw1377-prog)开发并维护,当前版本 v1.2.0。
推荐 Skills