← 返回 Skills 市场
Probable Skill
作者
ternencescott
· GitHub ↗
· v0.1.0
452
总下载
0
收藏
0
当前安装
1
版本数
在 OpenClaw 中安装
/install probable-skills-2
功能描述
0xProbable prediction market trading skills on BSC mainnet. Trade outcome shares (YES/NO) on real-world events via CLOB order book using @prob/clob SDK. Supp...
安全使用建议
Do NOT provide a real PRIVATE_KEY or run these scripts. Key risks:
- withdraw.ts builds a Safe transaction that transfers USDT to a hard-coded EOA_ADDRESS constant (not to the wallet derived from your PRIVATE_KEY), so running it as-is will likely move your funds to that address.
- SKILL.md recommends running curl|bash to install bun and SSH-cloning a repository — both fetch and execute remote code and may replace or augment the packaged scripts with further malicious code.
What to do if you already ran anything: immediately revoke any approvals and move remaining funds from any affected wallets to a new wallet (create a fresh key on an air-gapped device), check Safe owners/thresholds, and consider the proxy wallet compromised.
If you still want a trading skill: insist the package remove hard-coded addresses and instead require explicit configuration (or derive EOA from PRIVATE_KEY). Verify code locally (offline), replace curl|bash install steps with audited package installs, and ensure withdraw destinations are your own address (or require a confirmation prompt). Prefer open-source repos hosted at a verifiable URL and verify repository commit history and ownership before using.
功能分析
Type: OpenClaw Skill
Name: probable-skills-2
Version: 0.1.0
The skill is classified as suspicious due to high-risk setup instructions in `SKILL.md`. Specifically, the command `curl -fsSL https://bun.sh/install | bash` allows for direct remote code execution, presenting a significant supply chain vulnerability if the `bun.sh` domain were ever compromised. Additionally, the `git clone [email protected]:user/0xprobableskills.git` command, while for setup, could be risky if the AI agent's environment is not properly sandboxed or if the SSH URL were manipulated. While the core TypeScript trading scripts appear benign and focused on their stated purpose, these setup instructions introduce critical vulnerabilities.
能力评估
Purpose & Capability
The skill claims to be a general 0xProbable CLOB trading toolkit but the code uses hard-coded PROXY_WALLET and EOA_ADDRESS constants. A generic trading script should derive the user's EOA from their PRIVATE_KEY or accept addresses from configuration; instead this repo targets specific addresses, which is disproportionate to the stated purpose. Additionally the registry metadata lists no required env vars while runtime and scripts require PRIVATE_KEY (mismatch).
Instruction Scope
SKILL.md instructs running remote commands: curl | bash https://bun.sh/install (a remote install script) and, if scripts are missing, cloning [email protected]:user/0xprobableskills.git via SSH. Those instructions fetch and execute code from external hosts/keys outside the skill package. The runtime actions in the included scripts also build and sign Gnosis Safe transactions that transfer USDT to the hard-coded EOA_ADDRESS rather than the private-key-derived address.
Install Mechanism
There is no formal install spec, but SKILL.md explicitly recommends piping a remote installer (bun.sh) into a shell and suggests git-cloning an external SSH repo. Both patterns (curl|bash and blind git clone) are high-risk because they fetch and execute code from remote sources that could be changed to malicious content.
Credentials
The scripts require a PRIVATE_KEY (explicitly documented in SKILL.md and used by code) but the skill metadata declared no required env vars. More critically, funds withdrawal code encodes a transfer to a hard-coded EOA_ADDRESS constant (0xDDDddD...) rather than sending to the account derived from the provided PRIVATE_KEY. Combined with a hard-coded PROXY_WALLET, this is exactly the set of properties an attacker would use to siphon funds.
Persistence & Privilege
The skill does not request always:true and does not modify other skills or agent-wide configs. It operates as a set of CLI scripts and does not claim persistent platform privileges.
如何使用
- 确保已安装 OpenClaw(本地或 Docker 部署)
- 在对话框中输入安装命令:
/install probable-skills-2 - 安装完成后,直接呼叫该 Skill 的名称或使用
/probable-skills-2触发 - 根据 Skill 的参数说明提供必要输入,即可获得结构化输出
版本历史
v0.1.0
Initial release of probable-skill — CLOB trading toolkit for 0xProbable Markets on BSC.
- Provides scripts for prediction market trading: event search, order book queries, placing/cancelling orders, position and PnL tracking, and USDT withdrawals via Gnosis Safe proxy wallet.
- Includes comprehensive CLI documentation for all trading, account, and market management scripts.
- Supports limit and market orders with detailed commands to monitor balances, view open orders, check price history, and manage event information.
- Integrates with @prob/clob SDK (v0.5.0); operates on BSC mainnet with USDT as collateral.
- Clear setup and security instructions; requires bun runtime and private key configuration.
元数据
常见问题
Probable Skill 是什么?
0xProbable prediction market trading skills on BSC mainnet. Trade outcome shares (YES/NO) on real-world events via CLOB order book using @prob/clob SDK. Supp... 它是一个面向 Claude Code / OpenClaw 的 AI Agent Skill 插件,目前累计下载 452 次。
如何安装 Probable Skill?
在 OpenClaw 或 Claude Code 对话框中运行命令「/install probable-skills-2」即可一键安装,无需额外配置。
Probable Skill 是免费的吗?
是的,Probable Skill 完全免费(开源免费),可自由下载、安装和使用。
Probable Skill 支持哪些平台?
Probable Skill 跨平台运行,可在任意部署了 OpenClaw / Claude Code 的环境中使用(cross-platform)。
谁开发了 Probable Skill?
由 ternencescott(@ternencescott)开发并维护,当前版本 v0.1.0。
推荐 Skills