← 返回 Skills 市场
Token Approval Checker
作者
liusanhong
· GitHub ↗
· v1.0.1
359
总下载
0
收藏
0
当前安装
2
版本数
在 OpenClaw 中安装
/install token-approval-checker
功能描述
钱包授权管理工具,检查 ERC20/ERC721 代币授权风险,识别无限授权和高风险授权。每次调用收取 0.001 USDT。当用户提到"检查授权"、"撤销授权"、"Token Approval"、"高风险授权"、"MetaMask授权"时使用。Wallet authorization management to...
安全使用建议
Do not install or enable this skill until the following are resolved: (1) The hard-coded billing API key must be removed from the SKILL.md and moved to a secure, platform-provided secret (or the skill should rely on the platform's billing integration). (2) The vendor/source must be identified and verified (skill has unknown source and no homepage). (3) Request the complete implementation: where checkWalletApprovals is implemented, how revoke operations are performed, and what dependencies are required (ethers.js, node fetch). (4) Confirm the billing provider (skillpay.me) is legitimate and that the skill will not charge users silently or beyond agreed amounts. (5) Never provide private wallet keys; confirm the skill only needs a public wallet address and does not request signing keys. If the author cannot or will not provide a clean, auditable implementation and remove embedded secrets, treat the skill as untrusted.
功能分析
Type: OpenClaw Skill
Name: token-approval-checker
Version: 1.0.1
The skill bundle contains a hardcoded API key ('BILLING_API_KEY') within the SKILL.md file, which is a significant security vulnerability (leaked credential). It implements a custom billing logic via 'skillpay.me' and instructs the AI agent to charge users 0.001 USDT per call for information that is primarily available for free via the linked official block explorers (e.g., Etherscan, BscScan). While no direct evidence of data theft was found, the combination of hardcoded secrets and a pay-per-use model for free public tools is highly irregular.
能力评估
Purpose & Capability
The skill claims only to check/manage wallet token approvals, which could legitimately include charging for the service — but the SKILL.md embeds a SkillPay billing integration (charging 0.001 USDT) instead of declaring billing credentials as required environment variables. The file also references external services (skillpay.me) and assumes the ability to call external APIs; these capabilities are not surfaced in the skill metadata (no required env, no homepage, unknown source).
Instruction Scope
SKILL.md contains concrete runtime code that instructs the agent to call a billing API, charge users, and then call a checkWalletApprovals() function (not provided). It also includes example revoke code using ethers.js. The instructions therefore assume network access, the ability to perform blockchain queries and transactions, and Node runtime libraries — none of which are declared. The billing flow and payment link generation also cause user-related side effects (charging), which is broader than a passive 'report-only' checker.
Install Mechanism
There is no install spec (instruction-only), which minimizes disk writes, but the included JavaScript examples require node APIs (fetch, ethers) and third-party packages that are not declared. This mismatch (no declared dependencies but code that needs them) is an engineering inconsistency and could lead to unexpected failures or hidden additional install steps later.
Credentials
Despite declaring no required environment variables or primary credential, SKILL.md hard-codes an API key (BILLING_API_KEY = 'sk_b82c6...') for the external billing service. Embedding a secret like this in the skill is a serious red flag: it can be used to query/charge accounts on the billing provider, and it was not declared as a required credential or explained. No explanation is given for why the key is embedded rather than provided via a secure env var or the platform's billing integration.
Persistence & Privilege
The skill is not always-enabled and does not request persistent or elevated platform privileges in the metadata. It is user-invocable and allows autonomous invocation (platform default), which is normal. There is no evidence in the metadata that the skill modifies other skills or system-wide settings.
如何使用
- 确保已安装 OpenClaw(本地或 Docker 部署)
- 在对话框中输入安装命令:
/install token-approval-checker - 安装完成后,直接呼叫该 Skill 的名称或使用
/token-approval-checker触发 - 根据 Skill 的参数说明提供必要输入,即可获得结构化输出
版本历史
v1.0.1
Updated SkillPay billing integration with correct API format and SKILL_ID
v1.0.0
- Initial release of Token Approval Checker.
- Check ERC20/ERC721 token approval risks across major EVM chains.
- Identify unlimited and high-risk token approvals; recommends corrective actions.
- Charges 0.001 USDT per approval check (BNB Chain).
- Bilingual documentation (English and 中文) with usage instructions and sample outputs.
- Includes code snippets for manual revocation and SkillPay billing integration.
元数据
常见问题
Token Approval Checker 是什么?
钱包授权管理工具,检查 ERC20/ERC721 代币授权风险,识别无限授权和高风险授权。每次调用收取 0.001 USDT。当用户提到"检查授权"、"撤销授权"、"Token Approval"、"高风险授权"、"MetaMask授权"时使用。Wallet authorization management to... 它是一个面向 Claude Code / OpenClaw 的 AI Agent Skill 插件,目前累计下载 359 次。
如何安装 Token Approval Checker?
在 OpenClaw 或 Claude Code 对话框中运行命令「/install token-approval-checker」即可一键安装,无需额外配置。
Token Approval Checker 是免费的吗?
是的,Token Approval Checker 完全免费(开源免费),可自由下载、安装和使用。
Token Approval Checker 支持哪些平台?
Token Approval Checker 跨平台运行,可在任意部署了 OpenClaw / Claude Code 的环境中使用(cross-platform)。
谁开发了 Token Approval Checker?
由 liusanhong(@liusanhong)开发并维护,当前版本 v1.0.1。
推荐 Skills