← 返回 Skills 市场
597
总下载
0
收藏
4
当前安装
13
版本数
在 OpenClaw 中安装
/install token-analyzer
功能描述
基于官方 GMGN API 的代币分析工具。通过合约地址查询代币在 SOL/BSC/Base 链上的准确市场数据、安全检测、KOL 分析、开发者分析和 AI 智能分析(叙事/筹码/老鼠仓/机器人)。支持自动识别链。
安全使用建议
This skill appears to do what it claims (query GMGN and analyze tokens) but I found several red flags you should consider before installing or running it:
- Embedded secret: scripts/token_query.py contains a hardcoded AVE_API_KEY. Embedded API keys are a security and provenance concern — ask the author to remove it and provide a documented mechanism (environment variable or user-provided key) instead.
- Undeclared dependencies: the SKILL.md and code expect a Chrome DevTools endpoint (CDP on localhost:9222), a specific Chrome extension (OpenClaw Browser Relay), and the external 'bird' CLI for Twitter scraping. The registry metadata does not list these binaries. Ensure you only run this on a trusted machine, and install/inspect the extension and bird CLI from official sources.
- Local CDP risk: the skill instructs you to run Chrome with remote debugging and attach OpenClaw to it. Exposing a CDP port (even bound to localhost) can be risky if other local processes are untrusted. Only start Chrome with CDP bound to 127.0.0.1, and prefer running as a non‑privileged user and in an isolated environment.
- Prompt injection / hidden chars: the SKILL.md contained unicode control characters. Ask the author for a cleaned SKILL.md or manually inspect/copy it into a trusted editor to ensure there are no hidden or malicious instructions.
- Metadata mismatch and provenance: _meta.json and package.json list older versions than SKILL.md, and there's no homepage or clear source. Prefer skills with a known homepage, repo, and author, or ask for origin and changelog verification.
What you can do now:
- Request the author to remove embedded keys and declare required binaries/env vars in metadata.
- Run the code in an isolated environment (VM/container) and review the Chrome extension and 'bird' CLI before use.
- If you don't trust the included Ave key, delete it and supply your own (or disable Ave integration).
- If you want me to, I can: point to the exact lines with the embedded key, extract a cleaned SKILL.md with control characters removed, or produce a checklist of required runtime steps to run this safely in a container.
功能分析
Type: OpenClaw Skill
Name: token-analyzer
Version: 2.5.0
The bundle is a crypto token analyzer that uses the Chrome DevTools Protocol (CDP) to bypass anti-bot protections on gmgn.ai. It is classified as suspicious due to several high-risk requirements and practices: SKILL.md instructs the user to run Chrome with security features disabled (--no-sandbox, remote debugging) and install a specific external browser extension; scripts/token_query.py contains a hardcoded API key for Ave.ai; and scripts/token_query_v2.py executes external shell commands via subprocess (specifically a 'bird' CLI tool). While these behaviors are technically consistent with the tool's scraping objectives, they significantly expand the attack surface and weaken the host's security posture.
能力评估
Purpose & Capability
The code and SKILL.md align with the stated goal of querying GMGN and performing AI analysis (multiple gmgn.ai endpoints are used). However the package does more than the manifest claims: it expects a running Chrome DevTools endpoint and the optional 'bird' CLI for Twitter data, but the skill's metadata does not declare these runtime binaries or credentials. The presence of Ave.ai integration (prod.ave-api.com) is expected for third‑party enrichment but the Ave API key is embedded in code rather than declared as a required credential.
Instruction Scope
SKILL.md explicitly instructs users to stop the built‑in browser, start a Chrome instance with remote debugging on port 9222 and a browser extension, and update ~/.openclaw/openclaw.json to attach — these steps modify local runtime and open a CDP port. The code uses CDP websockets to execute fetch() in the browser context (to bypass Cloudflare). It also calls an external CLI ('bird') from Python to fetch Twitter data. The instructions grant the skill broad ability to control a browser instance on the host and run local subprocesses, which is larger scope than a simple API client.
Install Mechanism
There is no formal install spec (instruction‑only), which minimizes automated install risk, but the SKILL.md and scripts rely on external pieces: a Chrome extension (Chrome Web Store link), a Chrome instance started with specific flags, and optional 'bird' CLI. These are not enforced or declared in the registry metadata. No arbitrary remote downloads or extract operations were found in the install metadata, but the extension link and manual load instructions mean the user must install/enable external components themselves.
Credentials
The repository contains a hardcoded AVE_API_KEY value inside scripts/token_query.py (an embedded secret) rather than declaring it as an input credential — that is a sensitive artifact and an incoherence. The skill also assumes access to localhost:9222 and to run subprocesses (bird CLI) but does not declare these required binaries/configs. No required env vars are declared in metadata despite the presence of service keys and client/device identifiers in code.
Persistence & Privilege
The skill does not request always:true, does not modify other skills' configs, and has no install script that writes persistent agents settings. It only asks the operator to start a browser and update an OpenClaw local config file to attach — ordinary operational steps, not elevated platform privileges.
如何使用
- 确保已安装 OpenClaw(本地或 Docker 部署)
- 在对话框中输入安装命令:
/install token-analyzer - 安装完成后,直接呼叫该 Skill 的名称或使用
/token-analyzer触发 - 根据 Skill 的参数说明提供必要输入,即可获得结构化输出
版本历史
v2.5.0
v2.5.0 adds a new AI bot analysis module and improves developer twitter profiling.
- 新增 🤖 AI 机器人分析模块,自动识别开发者与相关风险
- 集成 bird CLI 获取开发者推特账号数据,包括粉丝数、Bio、推文等
- 支持分析推文内容,识别 rug、scam、dev wallet 等风险关键词
- 推特数据用于自动判断身份和风险等级
- 支持从推文链接自动提取并分析用户名
v2.4.0
- 新增自动识别链功能,支持用户仅输入地址自动判断 BSC/BASE/SOL
- 查询顺序优化:优先判定 BSC(覆盖更多常见用例)
- 使用方式简化:支持 `python3 token_query_v2.py <address>`
- 文档描述更新,明确多链自动识别特性
v2.3.0
**v2.3.0 增强版:引入AI智能分析,全面提升代币洞察力**
- 新增三大AI智能分析模块:支持叙事分析、筹码分布和老鼠仓侦测
- 增加代币叙事分析(概念、热度等市场逻辑解读)
- 引入Top10持有者筹码分布、盈亏与CEX、控盘风险识别
- 支持老鼠仓分析,检测早期买入者sniper/bundler标签及潜在内幕交易
- 抓取并分析最近50条交易记录及前100持有者详细分布
- 所有AI分析均基于实时数据,输出结果更加智能与真实
v2.2.2
修复 PNL 为 None 时的格式化错误
v2.2.1
更新文档:添加开发者分析功能说明、历史成功项目展示和最新输出示例
v2.2.0
增强开发者分析:显示开发者历史成功项目(市值>1M的代币),包含代币名称、市值和地址
v2.1.0
添加开发者分析功能:显示开发者名称、发币数量、本币盈亏和PNL倍数
v2.0.3
优化输出格式,修复参数顺序,完善 Why Alpha 分析
v2.0.2
修复KOL统计:只统计还在持仓的KOL,过滤已清仓的KOL
v2.0.1
新增5分钟/1小时/24小时涨跌幅显示,优化链接为超链接格式,修复24小时涨跌幅计算准确性
v2.0.0
重构为使用官方 GMGN API,新增 KOL 分析、Early Score、Conviction 评分、Why Alpha 智能分析等功能
v1.0.1
token-analyzer 1.0.1
- 新增 package.json 文件,完善依赖声明。
- 优化消息格式,分析结果对用户更友好。
- 技能结果现支持直接推送至个人私聊。
- SKILL.md 增加版本号字段,描述同步更新改动。
v1.0.0
Initial release with on-demand token analysis.
元数据
常见问题
Token Analyzer 是什么?
基于官方 GMGN API 的代币分析工具。通过合约地址查询代币在 SOL/BSC/Base 链上的准确市场数据、安全检测、KOL 分析、开发者分析和 AI 智能分析(叙事/筹码/老鼠仓/机器人)。支持自动识别链。 它是一个面向 Claude Code / OpenClaw 的 AI Agent Skill 插件,目前累计下载 597 次。
如何安装 Token Analyzer?
在 OpenClaw 或 Claude Code 对话框中运行命令「/install token-analyzer」即可一键安装,无需额外配置。
Token Analyzer 是免费的吗?
是的,Token Analyzer 完全免费(开源免费),可自由下载、安装和使用。
Token Analyzer 支持哪些平台?
Token Analyzer 跨平台运行,可在任意部署了 OpenClaw / Claude Code 的环境中使用(cross-platform)。
谁开发了 Token Analyzer?
由 0xshahai(@hanguang254)开发并维护,当前版本 v2.5.0。
推荐 Skills