← 返回 Skills 市场
ternencescott

Probable Skill

作者 ternencescott · GitHub ↗ · v0.1.1
cross-platform ⚠ suspicious
383
总下载
0
收藏
0
当前安装
2
版本数
在 OpenClaw 中安装
/install probable-skill
功能描述
0xProbable prediction market trading skills on BSC mainnet. Trade outcome shares (YES/NO) on real-world events via CLOB order book using @prob/clob SDK. Supp...
安全使用建议
This package contains working trading scripts for 0xProbable on BSC and will perform on-chain actions (create/cancel orders, withdraw from a proxy/Gnosis Safe) if you provide a PRIVATE_KEY. Before installing or running: 1) Do not run curl | bash installers without reviewing the script; install bun from a trusted source or manually. 2) Treat PRIVATE_KEY as highly sensitive — prefer using a key with minimal funds or a dedicated account for testing; verify the repository and code first. 3) Verify the hard-coded PROXY_WALLET and EOA_ADDRESS in scripts/config.ts — if these are not your addresses, withdraw/tx scripts could fail or act on other accounts. 4) Inspect withdraw.ts carefully: it constructs and signs Safe transactions — test with a small amount or on a fork/testnet first. 5) Ask the publisher to correct registry metadata to declare PRIVATE_KEY as a required credential and to document any required addresses or deployment steps. If you cannot review the code yourself, avoid supplying your main wallet private key.
功能分析
Type: OpenClaw Skill Name: probable-skill Version: 0.1.1 The skill is classified as suspicious due to a critical vulnerability in `scripts/withdraw.ts` and the use of a risky `curl | bash` command in `SKILL.md`. The `withdraw.ts` script attempts to transfer funds from a hardcoded proxy wallet (`0xE1e2380cDe7d1822ACbD097E85f72040AB106f42`) to a hardcoded burn address (`0xDDDddDcF23631d075C48e4669a5c0C227d5DdddD`) as defined in `scripts/config.ts`. If a user's provided `PRIVATE_KEY` happens to be an owner of this specific hardcoded proxy wallet, executing `withdraw.ts` would lead to irreversible loss of funds, which is a severe bug, though not clear evidence of intentional exfiltration to an attacker. Additionally, `SKILL.md` instructs users to install `bun` via `curl -fsSL https://bun.sh/install | bash`, which is a supply chain risk and a common RCE vulnerability if the remote script source is compromised.
能力评估
Purpose & Capability
The skill's name/description (0xProbable CLOB trading on BSC) aligns with the included TypeScript scripts and the @prob/clob SDK usage — the scripts implement searching, orderbook queries, limit/market orders, PnL and Gnosis Safe withdrawals as advertised. However, the registry metadata declares no required environment variables or primary credential while the code and SKILL.md clearly require a PRIVATE_KEY; that metadata omission is an inconsistency.
Instruction Scope
SKILL.md and scripts instruct the agent/user to create a .env with PRIVATE_KEY and to run the TypeScript scripts that will load that key (dotenv/config). All runtime behavior (on-chain calls, order posting, safe withdrawal) stays within trading/account management, which is expected, but the instructions also tell users to run a remote install command (curl -fsSL https://bun.sh/install | bash) and to clone a GitHub repo via git@ (SSH) if scripts are missing. Those installer/clone steps broaden the scope of what the agent will do and include executing remote code.
Install Mechanism
There is no formal install spec in registry metadata, but SKILL.md explicitly suggests installing bun via a remote installer piped to bash (curl | bash). Executing a remote install script is higher risk because it fetches and runs code from the internet. The project otherwise depends on well-known packages (@prob/clob, ethers, viem), which is reasonable for the described purpose.
Credentials
The scripts require a PRIVATE_KEY (documented in SKILL.md and used in scripts/config.ts), which is appropriate for signing blockchain transactions — but the registry metadata does not declare this required env var or a primary credential, creating a dangerous mismatch. Additionally, config.ts hardcodes PROXY_WALLET and EOA_ADDRESS constants; hard-coded addresses may not match a user's deployment and could cause unintended behavior (e.g., attempting withdrawals from an address the user does not control). The skill does not request unrelated credentials, but the missing metadata declaration and hard-coded wallet addresses are problematic.
Persistence & Privilege
The skill does not request always:true, does not modify other skills or system-wide settings, and contains no explicit persistence beyond normal use of local files (.env, repo files). Autonomous invocation is allowed by default but is not combined with other privilege-escalating flags here.
如何使用
  1. 确保已安装 OpenClaw(本地或 Docker 部署)
  2. 在对话框中输入安装命令:/install probable-skill
  3. 安装完成后,直接呼叫该 Skill 的名称或使用 /probable-skill 触发
  4. 根据 Skill 的参数说明提供必要输入,即可获得结构化输出
版本历史
v0.1.1
- Updated skill description to clarify trading of outcome shares (YES/NO) on real-world events and add more detail on feature coverage. - Added more explicit references to prediction markets and outcome trading in the intro. - No changes to functionality, code, or examples; documentation only.
v0.2.0
probable-skill v0.2.0 - Added detailed setup, usage instructions, and command reference in SKILL.md - Official documentation now covers market search, orderbook viewing, price queries, limit/market order placement, position management, and Gnosis Safe withdrawals on BSC mainnet - Includes environment preparation, SDK requirements, command quick reference, and troubleshooting guide - Target chain set to BSC mainnet (chainId 56), using @prob/clob SDK v0.5.0 - Security tips and fee structure now clarified for all users
元数据
Slug probable-skill
版本 0.1.1
许可证
累计安装 0
当前安装数 0
历史版本数 2
常见问题

Probable Skill 是什么?

0xProbable prediction market trading skills on BSC mainnet. Trade outcome shares (YES/NO) on real-world events via CLOB order book using @prob/clob SDK. Supp... 它是一个面向 Claude Code / OpenClaw 的 AI Agent Skill 插件,目前累计下载 383 次。

如何安装 Probable Skill?

在 OpenClaw 或 Claude Code 对话框中运行命令「/install probable-skill」即可一键安装,无需额外配置。

Probable Skill 是免费的吗?

是的,Probable Skill 完全免费(开源免费),可自由下载、安装和使用。

Probable Skill 支持哪些平台?

Probable Skill 跨平台运行,可在任意部署了 OpenClaw / Claude Code 的环境中使用(cross-platform)。

谁开发了 Probable Skill?

由 ternencescott(@ternencescott)开发并维护,当前版本 v0.1.1。

推荐 Skills
self-improving agent
Captures learnings, errors, and corrections to enable continuous improvement. Use when: (1) A command or operation fails unexpectedly, (2) User corrects Clau...
⬇ 463283 · by pskoett
Skill Vetter
Security-first skill vetting for AI agents. Use before installing any skill from ClawdHub, GitHub, or other sources. Checks for red flags, permission scope, and suspicious patterns.
⬇ 259410 · by spclaudehome
Polymarket
Query Polymarket prediction markets. Check odds, find trending markets, search events, track price movements.
⬇ 232503 · by joelchance
Self-Improving + Proactive Agent
Self-reflection + Self-criticism + Self-learning + Self-organizing memory. Agent evaluates its own work, catches mistakes, and improves permanently. Use when...
⬇ 200423 · by ivangdavila
Github
Interact with GitHub using the `gh` CLI. Use `gh issue`, `gh pr`, `gh run`, and `gh api` for issues, PRs, CI runs, and advanced queries.
⬇ 191113 · by steipete
ontology
Typed knowledge graph for structured agent memory and composable skills. Use when creating/querying entities (Person, Project, Task, Event, Document), linkin...
⬇ 190156 · by oswalpalash

💬 留言讨论