← 返回 Skills 市场
harrylabsj

Yield Offer Sanity Check

作者 haidong · GitHub ↗ · v1.0.0 · MIT-0
cross-platform ⚠ suspicious
72
总下载
0
收藏
0
当前安装
1
版本数
在 OpenClaw 中安装
/install yield-offer-sanity-check
功能描述
A checklist skill that evaluates whether a yield, staking, or earn offer is reasonable or suspicious. Use when the user encounters a yield promotion. Prompt-...
安全使用建议
The skill's markdown describes a prompt-only checklist, but the included handler.py reads a hard-coded absolute path (/Users/jianghaidong/.openclaw/skills/{skill_name}/SKILL.md). This is inconsistent and risky: if the platform executes handler.handle with a crafted skill_name, the code could read local files (and path traversal via '..' segments may be possible). Before installing, ask the author why the skill needs to read a local SKILL.md and request that they remove filesystem access or sanitize and constrain paths. If you must test it, run the skill in a tightly sandboxed environment, inspect/modify handler.py to remove the file read, or demand the skill be truly prompt-only (no code). Also consider denying autonomous invocation or reviewing runtime logs for unexpected file reads. Do not install it into a production agent until the file-access behavior is explained or removed.
功能分析
Type: OpenClaw Skill Name: yield-offer-sanity-check Version: 1.0.0 The skill contains a significant security flaw in handler.py, where it uses a hardcoded absolute path to a specific user's home directory (/Users/jianghaidong/.openclaw/skills/) and lacks sanitization for the skill_name parameter. This creates a potential path traversal vulnerability if the skill_name is user-controlled. While there is no evidence of intentional data exfiltration or malicious logic, the inclusion of environment-specific paths and insecure file access patterns is highly irregular for a portable skill bundle.
能力标签
cryptocan-make-purchases
能力评估
Purpose & Capability
The SKILL.md describes a prompt-only checklist for yield offers and declares no required binaries, env vars, or config paths. However, the packaged handler.py attempts to load a SKILL.md from a hard-coded absolute path under /Users/jianghaidong/.openclaw/skills/{skill_name}. Reading local files is not justified by the stated prompt-only purpose and is disproportionate.
Instruction Scope
Runtime instructions (SKILL.md) do not instruct reading any filesystem path, but handler.py performs file I/O: opening an absolute path to a SKILL.md. This is scope creep: the code accesses local files not mentioned in the documentation and could be used to read arbitrary files via crafted skill_name (relative path segments).
Install Mechanism
There is no install specification (instruction-only), so nothing is downloaded or written during install. The risk comes from the included code being executed by the platform rather than from an installer or third-party download.
Credentials
The skill declares no required environment or credentials, yet the code reaches into a specific user's home path. This implicit dependence on a local config path is unexplained and disproportionate to the skill's purpose; it may expose local files if the platform executes handler.py with attacker-controlled arguments.
Persistence & Privilege
The skill does not request 'always' presence, does not declare elevated privileges, and does not modify other skills. The main privilege concern is the code's ability to read local files when invoked, not persistent installation privileges.
如何使用
  1. 确保已安装 OpenClaw(本地或 Docker 部署)
  2. 在对话框中输入安装命令:/install yield-offer-sanity-check
  3. 安装完成后,直接呼叫该 Skill 的名称或使用 /yield-offer-sanity-check 触发
  4. 根据 Skill 的参数说明提供必要输入,即可获得结构化输出
版本历史
v1.0.0
Initial release of yield-offer-sanity-check: - Provides a checklist workflow to evaluate yield, staking, or earn offers for reasonableness or suspicion. - Outputs an offer summary, a sanity check verdict, red flags, analysis of the offer, and recommended next steps. - Uses evidence and math rather than vague skepticism to assess offers. - Flags new protocols with no track record and highlights unknowns if information is missing. - Requires only user-provided offer details; no on-chain data or integrations needed.
元数据
Slug yield-offer-sanity-check
版本 1.0.0
许可证 MIT-0
累计安装 0
当前安装数 0
历史版本数 1
常见问题

Yield Offer Sanity Check 是什么?

A checklist skill that evaluates whether a yield, staking, or earn offer is reasonable or suspicious. Use when the user encounters a yield promotion. Prompt-... 它是一个面向 Claude Code / OpenClaw 的 AI Agent Skill 插件,目前累计下载 72 次。

如何安装 Yield Offer Sanity Check?

在 OpenClaw 或 Claude Code 对话框中运行命令「/install yield-offer-sanity-check」即可一键安装,无需额外配置。

Yield Offer Sanity Check 是免费的吗?

是的,Yield Offer Sanity Check 完全免费,采用 MIT-0 许可证,可自由下载、安装和使用。

Yield Offer Sanity Check 支持哪些平台?

Yield Offer Sanity Check 跨平台运行,可在任意部署了 OpenClaw / Claude Code 的环境中使用(cross-platform)。

谁开发了 Yield Offer Sanity Check?

由 haidong(@harrylabsj)开发并维护,当前版本 v1.0.0。

推荐 Skills
self-improving agent
Captures learnings, errors, and corrections to enable continuous improvement. Use when: (1) A command or operation fails unexpectedly, (2) User corrects Clau...
⬇ 463368 · by pskoett
Skill Vetter
Security-first skill vetting for AI agents. Use before installing any skill from ClawdHub, GitHub, or other sources. Checks for red flags, permission scope, and suspicious patterns.
⬇ 259467 · by spclaudehome
Polymarket
Query Polymarket prediction markets. Check odds, find trending markets, search events, track price movements.
⬇ 232503 · by joelchance
Self-Improving + Proactive Agent
Self-reflection + Self-criticism + Self-learning + Self-organizing memory. Agent evaluates its own work, catches mistakes, and improves permanently. Use when...
⬇ 200457 · by ivangdavila
Github
Interact with GitHub using the `gh` CLI. Use `gh issue`, `gh pr`, `gh run`, and `gh api` for issues, PRs, CI runs, and advanced queries.
⬇ 191163 · by steipete
ontology
Typed knowledge graph for structured agent memory and composable skills. Use when creating/querying entities (Person, Project, Task, Event, Document), linkin...
⬇ 190189 · by oswalpalash

💬 留言讨论