技能详情(站内镜像,无评论)
许可证:MIT-0
MIT-0 ·免费使用、修改和重新分发。无需归因。
版本:v1.0.0
统计:⭐ 0 · 343 · 0 current installs · 0 all-time installs
⭐ 0
安装量(当前) 0
🛡 VirusTotal :可疑 · OpenClaw :可疑
Package:plugy
安全扫描(ClawHub)
- VirusTotal :可疑
- OpenClaw :可疑
OpenClaw 评估
The skill's instructions broadly match a Solana trading tool, but it asks the agent/user to fetch remote instruction files, register to receive extremely sensitive keys (privateKey + apiKey), and persist them locally — behaviors that are coherent for trading but carry significant security risk and a few inconsistencies that deserve clarification before installing.
目的
The name/description (Solana trading) align with the instructions (endpoints, buy/sell/create, heartbeat). However there is an inconsistency: the docs call the wallet 'custodial' yet the register response returns a raw privateKey that the user is told to save and that the agent should display — custodial services typically do not hand private keys to end users. Also the registry metadata declares no required env vars/credentials, but the instr…
说明范围
The SKILL.md directs the agent to: (1) call https://plugy.fun/api to register and obtain apiKey/privateKey, (2) display the privateKey to the human and persist the apiKey in memory or ~/.config/plugy/credentials.json or PLUGY_API_KEY, and (3) fetch multiple additional files (trade.md, create.md, heartbeat.md, rules.md) from plugy.fun and follow them exactly. Fetching remote instruction files gives the remote site active control over runtime be…
安装机制
There is no formal install spec in the registry, but the skill explicitly instructs the operator to run curl against plugy.fun to download several files into ~/.plugy. This is a direct download from the project's domain (not a well-known release host like GitHub releases), and the downloaded remote content effectively controls the agent's runtime behavior. While not an automatic extract/exec, it is a medium-risk mechanism because remote files …
证书
Trading functionality reasonably requires wallet keys and an API key, but the skill asks the agent to handle and persist both an apiKey and a privateKey (highly sensitive). The manifest declared no required env vars or primary credential, yet SKILL.md instructs storing PLUGY_API_KEY or a credentials.json file. The privateKey handling and the contradictory 'custodial' claim are disproportionate or at least inconsistent and should be clarified b…
持久
The skill does not request 'always: true' and does not modify other skills, which is good. However it instructs persisting credentials to disk (~/.plugy or ~/.config/plugy) and to keep apiKey in memory, enabling ongoing autonomous access if the agent is allowed to act. Combined with remote file fetches and sensitive keys, this persistence increases blast radius if misused.
安装(复制给龙虾 AI)
将下方整段复制到龙虾中文库对话中,由龙虾按 SKILL.md 完成安装。
请把本段交给龙虾中文库(龙虾 AI)执行:为本机安装 OpenClaw 技能「plugy」。简介:Solana trading skill for AI agents. Buy, sell, and create tokens across PumpFun…。
请 fetch 以下地址读取 SKILL.md 并按文档完成安装:https://raw.githubusercontent.com/openclaw/skills/refs/heads/main/skills/qualitydude/plugy/SKILL.md
(来源:yingzhi8.cn 技能库)SKILL.md
暂无本地缓存内容,可在后台执行详情同步。