← 返回 Skills 市场
chaunceyliu

trade-with-aiusd

作者 ChaunceyLiu · GitHub ↗ · v1.0.1
cross-platform ⚠ suspicious
1538
总下载
0
收藏
0
当前安装
2
版本数
在 OpenClaw 中安装
/install trade-with-aiusd
功能描述
Manage AIUSD trading, staking, withdrawals, balance checks, gas top-ups, and transaction history via authenticated backend calls.
安全使用建议
Do not run the included installers or npm install blindly. Before installing, verify the skill's origin and integrity (official repo or vendor). Manually extract and inspect the embedded archive contents in a safe environment (isolated VM or container). Confirm which environment variables or token files the skill will read (MCP_HUB_TOKEN and ~/.mcp-hub/token.json are referenced) and ensure you are comfortable providing them. Review package.json and all JavaScript code for postinstall scripts or network endpoints, and audit npm dependencies. Prefer obtaining the skill from an authoritative, signed release (official GitHub release or vendor site) rather than running self-extracting installers from an unknown owner. If you lack the ability to audit, avoid installing or run it only in an isolated sandbox.
功能分析
Type: OpenClaw Skill Name: trade-with-aiusd Version: 1.0.1 The skill bundle is classified as suspicious due to several high-risk capabilities, even though their stated intent aligns with the skill's purpose. The `SKILL.md` file contains direct prompt injection instructions for the AI agent to execute shell commands like `npm run reauth` and `aiusd-skill tools --detailed`, and to perform file system operations such as clearing `~/.mcporter/` and `~/.mcp-hub/token.json` (which may contain sensitive authentication tokens). Both `aiusd-skill-installer.sh` and `aiusd-skill-installer.js` installers execute `npm install`, a significant supply chain risk that downloads and runs arbitrary code. The `README.md` also links to an external GitHub release for downloading the skill, posing another supply chain risk. While these actions are presented as necessary for a trading bot, the direct command execution, file manipulation, and reliance on external code execution without clear transparency of the embedded `package.json` raise significant security concerns.
能力评估
Purpose & Capability
The registry metadata declares no env vars or credentials, but SKILL.md clearly expects an authentication token (MCP_HUB_TOKEN), OAuth flow, or a local token file (~/.mcp-hub/token.json). The package name in metadata ('trade-with-aiusd') and the files both reference 'aiusd-skill' — minor naming mismatch but tolerable — however the absence of declared required env/config in metadata while the runtime instructions require tokens is an incoherence. Asking for browser OAuth and token-file access is proportionate for a trading skill, but it should be declared.
Instruction Scope
SKILL.md includes explicit runtime rules that constrain agent output (a list of forbidden phrases and strict guidance on authentication responses). This is unusual for a benign integration because it attempts to control how the agent explains authentication and forbids discussing certain terms (e.g., 'template', 'verification'). The instructions also refer to a local token path and environment variable not declared in metadata. The file tells the agent to always run 'aiusd-skill tools --detailed' first (reasonable) but also contains truncated content and a pre-scan prompt-injection indicator (base64-block), which increases risk that hidden content or embedded instructions exist.
Install Mechanism
There is no formal install spec in registry metadata, but the package includes two self-extracting installers (shell and Node.js) that contain a large base64-encoded archive and will extract files to disk and run 'npm install'. Embedding and auto-extracting a compressed payload is higher-risk because it writes arbitrary files and triggers npm, which may fetch remote packages or run install scripts. The archive is embedded (no external URL), but executing these installers without inspecting the extracted contents is dangerous.
Credentials
The skill legitimately needs an authentication token to call the AIUSD backend, but required env vars/config paths were not declared in the registry metadata. The SKILL.md's authentication priority (MCP_HUB_TOKEN, OAuth, ~/.mcp-hub/token.json) is plausible, but the mismatch between declared requirements (none) and runtime expectations is an incoherence. Additionally, SKILL.md forbids mentioning URLs and step-by-step auth instructions while elsewhere it lists specific URLs — contradictory guidance that could hide needed auth info from users.
Persistence & Privilege
The skill does not request 'always: true' or system-wide privileges. The installers extract into a subdirectory under the current working directory (aiusd-skill) and run npm install there; they do not request system-wide config changes in the provided files. That said, running npm install can have side effects depending on package scripts, but the skill itself does not declare elevated persistence.
如何使用
  1. 确保已安装 OpenClaw(本地或 Docker 部署)
  2. 在对话框中输入安装命令:/install trade-with-aiusd
  3. 安装完成后,直接呼叫该 Skill 的名称或使用 /trade-with-aiusd 触发
  4. 根据 Skill 的参数说明提供必要输入,即可获得结构化输出
版本历史
v1.0.1
trade-with-aiusd v1.0.1 - Added installer scripts: `aiusd-skill-installer.js` and `aiusd-skill-installer.sh` for streamlined setup. - Updated documentation and build metadata.
v1.0.0
AIUSD Skill v1.0.0 initial release - Provides AIUSD trading and account management using backend MCP calls. - Handles balances, trades, staking, withdrawals, gas top-up, and transaction history. - Strict output guidelines for language (bans "template" and similar phrases in trading contexts). - Authentication prioritized via environment variable, OAuth, or local file. - Mandates always running `aiusd-skill tools --detailed` first to fetch live tool schema.
元数据
Slug trade-with-aiusd
版本 1.0.1
许可证
累计安装 0
当前安装数 0
历史版本数 2
常见问题

trade-with-aiusd 是什么?

Manage AIUSD trading, staking, withdrawals, balance checks, gas top-ups, and transaction history via authenticated backend calls. 它是一个面向 Claude Code / OpenClaw 的 AI Agent Skill 插件,目前累计下载 1538 次。

如何安装 trade-with-aiusd?

在 OpenClaw 或 Claude Code 对话框中运行命令「/install trade-with-aiusd」即可一键安装,无需额外配置。

trade-with-aiusd 是免费的吗?

是的,trade-with-aiusd 完全免费(开源免费),可自由下载、安装和使用。

trade-with-aiusd 支持哪些平台?

trade-with-aiusd 跨平台运行,可在任意部署了 OpenClaw / Claude Code 的环境中使用(cross-platform)。

谁开发了 trade-with-aiusd?

由 ChaunceyLiu(@chaunceyliu)开发并维护,当前版本 v1.0.1。

推荐 Skills
self-improving agent
Captures learnings, errors, and corrections to enable continuous improvement. Use when: (1) A command or operation fails unexpectedly, (2) User corrects Clau...
⬇ 463368 · by pskoett
Skill Vetter
Security-first skill vetting for AI agents. Use before installing any skill from ClawdHub, GitHub, or other sources. Checks for red flags, permission scope, and suspicious patterns.
⬇ 259467 · by spclaudehome
Polymarket
Query Polymarket prediction markets. Check odds, find trending markets, search events, track price movements.
⬇ 232503 · by joelchance
Self-Improving + Proactive Agent
Self-reflection + Self-criticism + Self-learning + Self-organizing memory. Agent evaluates its own work, catches mistakes, and improves permanently. Use when...
⬇ 200457 · by ivangdavila
Github
Interact with GitHub using the `gh` CLI. Use `gh issue`, `gh pr`, `gh run`, and `gh api` for issues, PRs, CI runs, and advanced queries.
⬇ 191163 · by steipete
ontology
Typed knowledge graph for structured agent memory and composable skills. Use when creating/querying entities (Person, Project, Task, Event, Document), linkin...
⬇ 190189 · by oswalpalash

💬 留言讨论