River Autotrader

Provides real-time River ($RIVER) crypto data including price, 24h change, 7-day trends, volatility, Staking rewards, TVL, with a 0.001 USDT fee per query.

This skill implements the paid River data flow but has multiple red flags you should address before installing: (1) It embeds a SkillPay/TokenPay API key directly in config and code — treat that as a leaked secret and ask the author to remove it and require SKILLPAY_API_KEY as a declared env var. (2) The skill metadata does not declare any required credentials despite performing payment operations; ask for explicit required env vars and documentation of what the key is/where it came from. (3) The script will return data even when payment creation fails (bypassing the pay requirement) — clarify intended behavior. (4) The skill's source/homepage is unknown; prefer skills with verifiable origin and privacy/payment policies. Recommended actions: request that the publisher (a) remove hard-coded secrets, (b) declare SKILLPAY_API_KEY in requires.env and document its scope, (c) provide a trustworthy homepage or repo, and (d) explain how payment verification is enforced. If you cannot verify these items or trust the publisher, avoid installing or using this skill (to avoid accidental charges, secret leakage, or untrusted payment endpoints).

Type: OpenClaw Skill Name: river-autotrader Version: 1.0.0 The skill implements a mandatory pay-per-use mechanism (0.001 USDT) for cryptocurrency data, directing users to an external payment gateway (tokenpay.me) via instructions in SKILL.md. It contains a hardcoded API key (sk_4fcce5e213933a634f32a6d43ace17df562ff60c3cb114c122d46d1376fbec4b) in scripts/river_data.py and references/config.md. While the script does not exhibit direct data exfiltration or system compromise, the use of an AI agent to solicit third-party payments and the inclusion of hardcoded credentials are high-risk behaviors that deviate from standard skill functionality.