← 返回 Skills 市场
Query the PolyOx API for NBA data, Polymarket predictions, and AI matchup analysis. The analysis endpoint uses the x402 payment protocol (USDC on Base Sepolia).
作者
jambocoder159
· GitHub ↗
· v0.2.0
433
总下载
0
收藏
0
当前安装
1
版本数
在 OpenClaw 中安装
/install polyox-nba
功能描述
Query the PolyOx API for NBA data, Polymarket predictions, and AI matchup analysis. The analysis endpoint uses the x402 payment protocol (USDC on Base Sepolia).
安全使用建议
What to consider before installing/using this skill:
- The skill's runtime instructions require signing payments with an EVM private key or installing a third-party wallet CLI, but the skill metadata does not declare any required credentials — treat that mismatch as a warning sign. Do not set your mainnet private key (EVM_PRIVATE_KEY) in an environment accessible to shared agents or services.
- Prefer using a throwaway/testnet wallet (Base Sepolia) and fund it with small test USDC amounts before any real use. Never use production/mainnet funds unless you fully trust the code and endpoints.
- If you must use the Coinbase Agentic Wallet CLI: verify the package name, author, version, and source repository before running npx; consider auditing that package separately. Using npx runs remote code on your machine — confirm the package integrity and pin versions.
- Review and trust the API host (https://api-hoobs.polyox.io) before sending requests that trigger payments. Confirm domain ownership / docs and check for HTTPS/TLS validity.
- Because the SKILL.md instructs the agent to access/handle private keys and install tooling, you should either: (a) refuse to provide secrets and use only the skill's free, read-only endpoints; or (b) perform an independent security review of the third-party wallet tooling and the PolyOx API before handing over any private key or running any installation commands.
- If you want to change the risk profile: request the maintainer add explicit metadata (required.env includes EVM_PRIVATE_KEY or a clear note that no env var is required and only agentic wallet will be used), and provide a reproducible, auditable wallet integration path (e.g., signed releases, pinned package versions).
功能分析
Type: OpenClaw Skill
Name: polyox-nba
Version: 0.2.0
The skill is classified as suspicious due to its reliance on executing external tools via `npx` and shell commands (`curl`, `grep`, `cut`, `tr`, `base64 -d`, `jq`, `npm install`) as direct instructions to the AI agent within `skill.md`. While these commands are presented for legitimate purposes (setting up a Coinbase Agentic Wallet, interacting with the x402 payment protocol, installing Node.js dependencies), they represent a significant attack surface. The skill also instructs the agent to access environment variables like `EVM_PRIVATE_KEY` for cryptographic operations. These capabilities, if exploited through prompt injection or other vulnerabilities in the agent's execution environment, could lead to remote code execution, unauthorized cryptocurrency transactions, or data exfiltration, even though the provided content does not show explicit malicious intent.
能力评估
Purpose & Capability
The skill name/description (PolyOx NBA data + Polymarket + x402 paid analysis) matches the SKILL.md instructions: free REST endpoints plus a paid analysis endpoint using x402 (USDC on Base Sepolia). Requiring wallet access to sign x402 payments is coherent with the stated purpose. However, the skill metadata declares no required environment variables or primary credential while the runtime instructions explicitly ask the user/agent to set EVM_PRIVATE_KEY or install a wallet — this metadata/instruction mismatch is notable.
Instruction Scope
SKILL.md instructs the agent/user to: (a) set an EVM_PRIVATE_KEY env var (private key access), (b) install and use a third-party Coinbase Agentic Wallet CLI via npx (which itself requests email/OTP), and (c) perform EIP-712 signing and send signatures in request headers. These steps require access to secrets and to install/execute third-party tooling; the document also gives concrete shell commands (curl, base64, jq). The instructions therefore reach beyond simple read-only API queries into signing transactions and private-key handling — which is high-sensitivity behavior and should have been declared in metadata.
Install Mechanism
The skill itself has no install spec and is instruction-only (lower static install risk), but it explicitly tells the agent/user to run npx to add the coinbase/agentic-wallet-skills and to use npx awal@latest commands. Prompting installation of third-party npm packages at runtime is a moderate risk (pulling and executing external code). There is no pinned/verified package version in the SKILL.md excerpt and no attestations about the third-party package's provenance.
Credentials
The paid x402 flow legitimately requires signing with an EVM private key or using a wallet; requesting EVM_PRIVATE_KEY is proportionate to performing the payment. But the skill metadata lists no required environment variables while the instructions explicitly reference EVM_PRIVATE_KEY and wallet installation. That mismatch can cause an agent to read secrets that weren't declared as required. Also the guidance to authenticate via email with a third-party wallet CLI (npx) introduces additional secret exchange/credential flows that are not described in the metadata.
Persistence & Privilege
The skill does not request 'always: true' and offers no install spec or files to persist into the agent. Autonomous invocation is allowed (platform default) but not by itself a red flag here. The skill does instruct installing an external wallet CLI, but that is an action outside the skill's bundle, not a built-in persistence request by the skill itself.
如何使用
- 确保已安装 OpenClaw(本地或 Docker 部署)
- 在对话框中输入安装命令:
/install polyox-nba - 安装完成后,直接呼叫该 Skill 的名称或使用
/polyox-nba触发 - 根据 Skill 的参数说明提供必要输入,即可获得结构化输出
版本历史
v0.2.0
- Initial release of the polyox-nba skill.
- Query NBA data, Polymarket predictions, and AI-powered matchup analysis via the PolyOx API.
- Full support for free NBA and Polymarket endpoints (teams, games, stats, markets, injuries).
- Paid AI analysis endpoint using the x402 protocol (USDC on Base Sepolia).
- Includes detailed instructions for setup with Coinbase Agentic Wallet or Node.js/TypeScript for payment handling.
元数据
常见问题
Query the PolyOx API for NBA data, Polymarket predictions, and AI matchup analysis. The analysis endpoint uses the x402 payment protocol (USDC on Base Sepolia). 是什么?
Query the PolyOx API for NBA data, Polymarket predictions, and AI matchup analysis. The analysis endpoint uses the x402 payment protocol (USDC on Base Sepolia). 它是一个面向 Claude Code / OpenClaw 的 AI Agent Skill 插件,目前累计下载 433 次。
如何安装 Query the PolyOx API for NBA data, Polymarket predictions, and AI matchup analysis. The analysis endpoint uses the x402 payment protocol (USDC on Base Sepolia).?
在 OpenClaw 或 Claude Code 对话框中运行命令「/install polyox-nba」即可一键安装,无需额外配置。
Query the PolyOx API for NBA data, Polymarket predictions, and AI matchup analysis. The analysis endpoint uses the x402 payment protocol (USDC on Base Sepolia). 是免费的吗?
是的,Query the PolyOx API for NBA data, Polymarket predictions, and AI matchup analysis. The analysis endpoint uses the x402 payment protocol (USDC on Base Sepolia). 完全免费(开源免费),可自由下载、安装和使用。
Query the PolyOx API for NBA data, Polymarket predictions, and AI matchup analysis. The analysis endpoint uses the x402 payment protocol (USDC on Base Sepolia). 支持哪些平台?
Query the PolyOx API for NBA data, Polymarket predictions, and AI matchup analysis. The analysis endpoint uses the x402 payment protocol (USDC on Base Sepolia). 跨平台运行,可在任意部署了 OpenClaw / Claude Code 的环境中使用(cross-platform)。
谁开发了 Query the PolyOx API for NBA data, Polymarket predictions, and AI matchup analysis. The analysis endpoint uses the x402 payment protocol (USDC on Base Sepolia).?
由 jambocoder159(@jambocoder159)开发并维护,当前版本 v0.2.0。
推荐 Skills