← 返回 Skills 市场
0xrag

Trade

作者 0xRAG · GitHub ↗ · v0.1.0
cross-platform ⚠ suspicious
996
总下载
0
收藏
5
当前安装
1
版本数
在 OpenClaw 中安装
/install trade
功能描述
Swap or trade tokens on Base network. Use when you or the user want to trade, swap, exchange, buy, sell, or convert between tokens like USDC, ETH, and WETH. Covers phrases like "buy ETH", "sell ETH for USDC", "convert USDC to ETH", "get some ETH".
安全使用建议
This skill does what it says (trades tokens) but it executes an unpinned npm package at runtime (npx awal@latest) and relies on a wallet authentication step that is not described. Before installing or using it: verify the `awal` CLI's source and maintainers, prefer a pinned version rather than @latest, inspect the package code (or its published repository) to see how it handles keys and approvals, and avoid entering private keys into prompts unless you trust the package. If possible, run trades from an isolated/hard-limited wallet (small funds) or ask the author for a versioned, auditable integration that documents exactly how authentication and signing are performed.
功能分析
Type: OpenClaw Skill Name: trade Version: 0.1.0 The skill is designed for a legitimate purpose (token trading) and includes a security instruction to prevent shell variable expansion. However, it relies on the `npx awal@latest` external package, introducing a supply chain risk. More critically, the `allowed-tools` in `SKILL.md` use broad wildcards (`Bash(npx awal@latest trade *)`), permitting the agent to pass arbitrary arguments to the `awal` command. This creates a vulnerability where potential command injection flaws within the `awal` tool itself could be exploited if an attacker crafts malicious inputs, even though the skill itself does not explicitly instruct the agent to perform malicious actions.
能力评估
Purpose & Capability
Name/description match the runtime instructions: the SKILL.md tells the agent to perform token swaps on Base using the `npx awal@latest trade` CLI, and the token aliases/arguments align with that purpose.
Instruction Scope
Instructions are narrowly scoped to calling the `awal` CLI (status/trade/balance) and handling amounts/tokens; they do not ask the agent to read arbitrary system files. However, they direct the agent to execute remote code (npx) that will interact with the user's wallet — the exact wallet access surface is not described here.
Install Mechanism
There is no install spec in the skill, but allowed-tools explicitly rely on `npx awal@latest`. Running npx fetches and executes code from the npm registry at runtime, and the skill pins to @latest (unversioned), introducing supply-chain / arbitrary remote-code risk. This is expected for a CLI-based approach but is a noteworthy risk that is not mitigated here (no pinned version, no source/homepage).
Credentials
The skill declares no required env vars or credentials, yet trading requires a wallet/authentication step. The SKILL.md refers to being "authenticated" and an external `authenticate-wallet` skill, but it does not declare what secrets or local wallet files the CLI will access. Lack of explicit credential declarations hides where private keys or wallets will be read or supplied.
Persistence & Privilege
The skill is user-invocable, not always-included, and does not request persistent privileges or modify other skills. Autonomous invocation is enabled (disable-model-invocation: false), which is normal; nothing here grants unusual system-wide persistence.
如何使用
  1. 确保已安装 OpenClaw(本地或 Docker 部署)
  2. 在对话框中输入安装命令:/install trade
  3. 安装完成后,直接呼叫该 Skill 的名称或使用 /trade 触发
  4. 根据 Skill 的参数说明提供必要输入,即可获得结构化输出
版本历史
v0.1.0
Initial release of the trade skill for swapping tokens on the Base network. - Enables trading, swapping, buying, selling, and converting tokens (e.g., USDC, ETH, WETH) via simple commands. - Supports amount input in USD, decimal, whole number, and atomic unit formats. - Includes token alias resolution and auto-detection of decimals for known tokens and contract addresses. - Allows custom slippage settings and JSON output. - Provides detailed examples, prerequisites, and error handling guidelines.
元数据
Slug trade
版本 0.1.0
许可证
累计安装 6
当前安装数 5
历史版本数 1
常见问题

Trade 是什么?

Swap or trade tokens on Base network. Use when you or the user want to trade, swap, exchange, buy, sell, or convert between tokens like USDC, ETH, and WETH. Covers phrases like "buy ETH", "sell ETH for USDC", "convert USDC to ETH", "get some ETH". 它是一个面向 Claude Code / OpenClaw 的 AI Agent Skill 插件,目前累计下载 996 次。

如何安装 Trade?

在 OpenClaw 或 Claude Code 对话框中运行命令「/install trade」即可一键安装,无需额外配置。

Trade 是免费的吗?

是的,Trade 完全免费(开源免费),可自由下载、安装和使用。

Trade 支持哪些平台?

Trade 跨平台运行,可在任意部署了 OpenClaw / Claude Code 的环境中使用(cross-platform)。

谁开发了 Trade?

由 0xRAG(@0xrag)开发并维护,当前版本 v0.1.0。

推荐 Skills
self-improving agent
Captures learnings, errors, and corrections to enable continuous improvement. Use when: (1) A command or operation fails unexpectedly, (2) User corrects Clau...
⬇ 463283 · by pskoett
Skill Vetter
Security-first skill vetting for AI agents. Use before installing any skill from ClawdHub, GitHub, or other sources. Checks for red flags, permission scope, and suspicious patterns.
⬇ 259410 · by spclaudehome
Polymarket
Query Polymarket prediction markets. Check odds, find trending markets, search events, track price movements.
⬇ 232503 · by joelchance
Self-Improving + Proactive Agent
Self-reflection + Self-criticism + Self-learning + Self-organizing memory. Agent evaluates its own work, catches mistakes, and improves permanently. Use when...
⬇ 200423 · by ivangdavila
Github
Interact with GitHub using the `gh` CLI. Use `gh issue`, `gh pr`, `gh run`, and `gh api` for issues, PRs, CI runs, and advanced queries.
⬇ 191115 · by steipete
ontology
Typed knowledge graph for structured agent memory and composable skills. Use when creating/querying entities (Person, Project, Task, Event, Document), linkin...
⬇ 190156 · by oswalpalash

💬 留言讨论