← 返回 Skills 市场
Pond3r Skill - Query Onchain Data
作者
fabriziogianni7
· GitHub ↗
· v1.0.0
725
总下载
2
收藏
1
当前安装
1
版本数
在 OpenClaw 中安装
/install pond3r-skill
功能描述
Query crypto intelligence via Pond3r MCP — curated datasets, SQL queries, protocol metrics, yields, and market analysis. Use when the agent needs DeFi data, stablecoin yields, token opportunities, Polymarket trades, cross-protocol comparisons, or blockchain analytics.
安全使用建议
This skill is coherent with its stated function (read-only queries to Pond3r) but before installing: 1) Confirm the skill publisher/source and trust the Pond3r domains (makeit.pond3r.xyz, mcp.pond3r.xyz, api.pond3r.xyz). 2) Expect to provide a POND3R_API_KEY even though the registry metadata omits it — verify the key is read-only and scoped appropriately. 3) If you run the included scripts, Node must be available and the agent will need outbound network access to mcp.pond3r.xyz. 4) Be careful with the --sql-file option: it will read whatever file path is supplied; avoid letting the agent choose arbitrary local file paths or storing sensitive secrets in .env files accessible to the agent process. 5) If you need stronger guarantees, ask the publisher for a homepage/source repo, request that the registry metadata be corrected to list POND3R_API_KEY, and test the skill in an isolated environment before granting it access to production credentials.
功能分析
Type: OpenClaw Skill
Name: pond3r-skill
Version: 1.0.0
The skill is highly susceptible to prompt injection and SQL injection vulnerabilities. The `SKILL.md` instructs the agent to execute `node` scripts, specifically `scripts/query.mjs`, with user-provided SQL queries. The `query.mjs` script directly passes this SQL (from `--sql` argument or `--sql-file`) to the external Pond3r MCP API (`https://mcp.pond3r.xyz/mcp`). While the documentation claims 'SELECT only' and 'bare table names' are enforced, this design allows an attacker to craft malicious SQL via prompt injection, potentially leading to data exfiltration or reconnaissance against the Pond3r backend. Furthermore, the agent is instructed to 'Parse the JSON output and summarize for the user,' which means any successfully exfiltrated data would be presented.
能力评估
Purpose & Capability
Name/description match the code and instructions: this is a Pond3r MCP client for read-only SQL queries against crypto datasets. However the published registry metadata claims no required environment variables or primary credential, while both SKILL.md and all scripts require POND3R_API_KEY at runtime. That mismatch is a meaningful inconsistency (the skill will fail or prompt for an undeclared secret).
Instruction Scope
SKILL.md and the bundled scripts stay inside the described scope: they call the MCP endpoint (https://mcp.pond3r.xyz/mcp), list datasets, get schemas, and run read-only queries. Two points to note: (1) the CLI supports --sql-file <path> and will read arbitrary local files when you use that option (so be careful what file paths are passed to the script), and (2) SKILL.md instructs installing the API key into runtime configs or a .env file — ensure those storage choices meet your security requirements.
Install Mechanism
There is no remote installer or download step — the skill is instruction-only and includes small Node scripts. No external archives or third-party package installs are invoked by the skill itself. Node and network access are required to run the scripts.
Credentials
The skill requires a single API credential (POND3R_API_KEY) to authenticate to Pond3r MCP and Pond3r APIs (reference.md shows api.pond3r.xyz usage). That credential is proportionate to the stated purpose, but the skill's declared metadata does not list it. Verify the key's scope/permissions (read-only is appropriate). Also confirm you are comfortable storing that key in the runtime's MCP config or a .env file accessible to the agent process.
Persistence & Privilege
The skill is not marked always:true, doesn't request system-wide configuration changes, and contains no code that modifies other skills. It requires network access to Pond3r endpoints and will retain a short-lived Mcp-Session-Id header for sessioning, which is normal for a client.
如何使用
- 确保已安装 OpenClaw(本地或 Docker 部署)
- 在对话框中输入安装命令:
/install pond3r-skill - 安装完成后,直接呼叫该 Skill 的名称或使用
/pond3r-skill触发 - 根据 Skill 的参数说明提供必要输入,即可获得结构化输出
版本历史
v1.0.0
Pond3r-skill v1.0.0
- Initial release enabling agents to query crypto/DeFi intelligence via the Pond3r MCP.
- Supports yield data, protocol metrics, token opportunities, and market analysis.
- Provides integration instructions for Cursor, Claude Code, Claude Desktop, and OpenClaw runtimes.
- CLI scripts included for MCP access when native tools are not available.
- Detailed workflow and troubleshooting guidance for both API key setup and runtime requirements.
- Strict rules for query execution, evidence reporting, and fallback behavior.
元数据
常见问题
Pond3r Skill - Query Onchain Data 是什么?
Query crypto intelligence via Pond3r MCP — curated datasets, SQL queries, protocol metrics, yields, and market analysis. Use when the agent needs DeFi data, stablecoin yields, token opportunities, Polymarket trades, cross-protocol comparisons, or blockchain analytics. 它是一个面向 Claude Code / OpenClaw 的 AI Agent Skill 插件,目前累计下载 725 次。
如何安装 Pond3r Skill - Query Onchain Data?
在 OpenClaw 或 Claude Code 对话框中运行命令「/install pond3r-skill」即可一键安装,无需额外配置。
Pond3r Skill - Query Onchain Data 是免费的吗?
是的,Pond3r Skill - Query Onchain Data 完全免费(开源免费),可自由下载、安装和使用。
Pond3r Skill - Query Onchain Data 支持哪些平台?
Pond3r Skill - Query Onchain Data 跨平台运行,可在任意部署了 OpenClaw / Claude Code 的环境中使用(cross-platform)。
谁开发了 Pond3r Skill - Query Onchain Data?
由 fabriziogianni7(@fabriziogianni7)开发并维护,当前版本 v1.0.0。
推荐 Skills