← 返回 Skills 市场
chaunceyliu

trade-agent

作者 ChaunceyLiu · GitHub ↗ · v1.0.1
cross-platform ⚠ suspicious
1459
总下载
0
收藏
0
当前安装
2
版本数
在 OpenClaw 中安装
/install trade-agent
功能描述
Manage AIUSD trading and accounts by querying balances, executing trades, staking, withdrawing, topping up gas, and viewing transaction history via MCP backend.
安全使用建议
This package contains contradictory signals: the registry entry claims no requirements and no description, but the files implement an AIUSD trading skill that expects a bearer token and contains self-extracting installers that will write files and run 'npm install'. Do not run the installers or provide secrets until you validate the source. Steps to consider before installing: - Ask the publisher for an authoritative description and why registry metadata lists none of the env/binary requirements shown in SKILL.md. - Verify the owner and the GitHub release links in README independently (open them in a browser you control). The README points to github.com/galpha-ai — confirm that repository and release match the package checksum. - Inspect the extracted package content in a sandbox or on an isolated machine before running any installer or 'npm install'. Decode the base64 archive yourself to review files and package.json dependencies. - Do not set or expose MCP_HUB_TOKEN or other secrets to this skill until you confirm its legitimacy. If you must test, run it in a disposable VM/container with no access to real secrets or wallets. - If you plan to trust this skill, ask for a signed release or audit from the maintainer and prefer a version with explicit declared requirements and no hidden base64 payloads. Given the metadata/instruction mismatches and embedded archive, proceed cautiously — the inconsistencies could be benign (sloppy packaging) or intentional; additional verification from the author would materially increase confidence.
功能分析
Type: OpenClaw Skill Name: trade-agent Version: 1.0.1 The skill is classified as suspicious due to several high-risk capabilities, although without clear evidence of intentional malicious behavior. The `SKILL.md` instructs the AI agent to access sensitive local files (`~/.mcp-hub/token.json`, `~/.mcporter/`) and environment variables (`MCP_HUB_TOKEN`) for authentication, and to execute local shell commands (`npm run reauth`, `aiusd-skill tools --detailed`). Additionally, both `aiusd-skill-installer.sh` and `aiusd-skill-installer.js` installers perform `rm -rf` (or equivalent) and execute `npm install`, which involves fetching and executing arbitrary remote code (dependencies), posing a supply chain risk. While these actions are presented as necessary for the skill's stated purpose of trading and account management, they grant significant system access.
能力评估
Purpose & Capability
Metadata claims no required env vars or binaries and lists no description, but the SKILL.md and included README clearly implement an 'AIUSD' trading skill that requires a Bearer token (MCP_HUB_TOKEN or local token) and the installer scripts require Node.js and npm. The package name in files (aiusd-skill) does not match the registry name (trade-agent). These are incoherent with the declared 'no requirements' and missing description.
Instruction Scope
SKILL.md instructs the agent to use an auth priority (MCP_HUB_TOKEN env, OAuth, or local ~/.mcp-hub/token.json) and to run live 'tools --detailed' before any calls. The skill's declared requires.env is empty but instructions explicitly rely on environment credentials and a local token file, which means the runtime instructions require filesystem and credential access that was not declared. SKILL.md also contains rigid response rules (forbidden phrases and strict auth response templates) which attempt to control agent output — this is unusual and increases risk if the agent applies these directives.
Install Mechanism
Although registry shows 'no install spec' (instruction-only), the package includes two self-extracting installer scripts (shell and Node) with large base64-encoded archive blobs. Those installers extract an archive to disk, remove any existing installation directory, and run 'npm install' (network fetch). The presence of embedded base64 archives and extract operations elevates risk versus a purely instruction-only skill because arbitrary code will be written to disk and dependencies fetched at install time.
Credentials
Declared required env vars: none. SKILL.md, README, and installer behavior contradict that: SKILL.md requires MCP_HUB_TOKEN or OAuth/local token file for operation and README references OAuth and website logins. The skill will read ~/.mcp-hub/token.json and expects a bearer token — requiring secret access but not declaring it is disproportionate and opaque.
Persistence & Privilege
The skill does not set always:true and does not request system-wide privileges, but its installer will write an 'aiusd-skill' directory in the current working directory, remove any existing folder of the same name, and install npm dependencies. That creates persistent files and an installed runtime component; this is expected for a skill with an installer but should be considered when deciding to run it locally.
如何使用
  1. 确保已安装 OpenClaw(本地或 Docker 部署)
  2. 在对话框中输入安装命令:/install trade-agent
  3. 安装完成后,直接呼叫该 Skill 的名称或使用 /trade-agent 触发
  4. 根据 Skill 的参数说明提供必要输入,即可获得结构化输出
版本历史
v1.0.1
AIUSD trade-agent v1.0.1 changelog: - Added skill installer scripts: `aiusd-skill-installer.js` and `aiusd-skill-installer.sh`. - Updated README.md with latest details. - Updated build-info.json for current build information.
v1.0.0
AIUSD Skill v1.0.0 – Initial Release - Provides AIUSD trading and account management functions via MCP backend. - Supports balance querying, trading (buy/sell/swap), staking, unstaking, withdrawals, gas top-up, and transaction history. - Strict agent response guidelines: - Absolutely prohibits use of "template", "example" (in trading contexts), and related banned phrases. - Authentication re-prompts must use fixed, plain guidance without URLs or step-by-step lists. - Agents must always call `aiusd-skill tools --detailed` first to get up-to-date tool schema and available actions. - Offers clear descriptions and usage scenarios for each skill tool. - Includes important URLs for login and official site.
元数据
Slug trade-agent
版本 1.0.1
许可证
累计安装 0
当前安装数 0
历史版本数 2
常见问题

trade-agent 是什么?

Manage AIUSD trading and accounts by querying balances, executing trades, staking, withdrawing, topping up gas, and viewing transaction history via MCP backend. 它是一个面向 Claude Code / OpenClaw 的 AI Agent Skill 插件,目前累计下载 1459 次。

如何安装 trade-agent?

在 OpenClaw 或 Claude Code 对话框中运行命令「/install trade-agent」即可一键安装,无需额外配置。

trade-agent 是免费的吗?

是的,trade-agent 完全免费(开源免费),可自由下载、安装和使用。

trade-agent 支持哪些平台?

trade-agent 跨平台运行,可在任意部署了 OpenClaw / Claude Code 的环境中使用(cross-platform)。

谁开发了 trade-agent?

由 ChaunceyLiu(@chaunceyliu)开发并维护,当前版本 v1.0.1。

推荐 Skills
self-improving agent
Captures learnings, errors, and corrections to enable continuous improvement. Use when: (1) A command or operation fails unexpectedly, (2) User corrects Clau...
⬇ 463283 · by pskoett
Skill Vetter
Security-first skill vetting for AI agents. Use before installing any skill from ClawdHub, GitHub, or other sources. Checks for red flags, permission scope, and suspicious patterns.
⬇ 259410 · by spclaudehome
Polymarket
Query Polymarket prediction markets. Check odds, find trending markets, search events, track price movements.
⬇ 232503 · by joelchance
Self-Improving + Proactive Agent
Self-reflection + Self-criticism + Self-learning + Self-organizing memory. Agent evaluates its own work, catches mistakes, and improves permanently. Use when...
⬇ 200423 · by ivangdavila
Github
Interact with GitHub using the `gh` CLI. Use `gh issue`, `gh pr`, `gh run`, and `gh api` for issues, PRs, CI runs, and advanced queries.
⬇ 191113 · by steipete
ontology
Typed knowledge graph for structured agent memory and composable skills. Use when creating/querying entities (Person, Project, Task, Event, Document), linkin...
⬇ 190156 · by oswalpalash

💬 留言讨论