ClawHub

Bybit Futures

Complete Bybit USDT perpetual futures trading system with risk management, paper trading, and live execution. Use when building a crypto futures trading bot,...

MIT-0 · Free to use, modify, and redistribute. No attribution required.
3 · 951 · 4 current installs · 4 all-time installs
bySunnyZhou@sunnyztj
MIT-0
Security Scan
VirusTotalVirusTotal
Benign
View report →
OpenClawOpenClaw
Suspicious
high confidence
!
Purpose & Capability
The code and SKILL.md implement a full Bybit USDT perpetual futures trading system (paper/live/backtest, risk manager, WebSocket engine, Telegram alerts). That capability legitimately requires Bybit API credentials and (optionally) Telegram tokens, but the skill's registry metadata claims no required env vars or primary credential. This mismatch between claimed requirements and actual code is a red flag.
Instruction Scope
The SKILL.md instructions are scoped to trading tasks (install Python deps, copy config_template.py → config.py, run paper/live scripts, optionally enable systemd). The instructions and code read/write local state (paper_state.json, live_state.json, risk_state.json), log to a file, and post notifications to Telegram. They do not attempt to read unrelated system files or exfiltrate data to unknown endpoints—network calls are limited to Bybit (WS/REST via ccxt) and Telegram. However, the README's systemd example uses /root/trading which encourages running as root; that's risky and should be avoided.
Install Mechanism
This is instruction-only with bundled Python scripts; there's no installer that downloads arbitrary executables. The SKILL.md tells users to pip install common Python packages (ccxt, websockets, numpy, requests) which is proportional to the functionality. No suspicious external download URLs or archive extraction are present.
!
Credentials
The code expects BYBIT_API_KEY and BYBIT_API_SECRET (and optionally TG_BOT_TOKEN/TG_CHAT_ID) via config.py / environment variables, but the skill metadata declares no required env vars or primary credential. Requesting exchange API keys is expected for a trading bot, but the metadata omission is misleading and reduces visibility into what secrets will be needed and used. This mismatch should be corrected before trusting the skill.
Persistence & Privilege
The skill does not request always:true and does not modify other skills. It persists state and logs to local JSON and log files in the working directory and suggests running as a systemd service (example uses /root/trading). Persisting trading state is normal, but you should avoid running the service as root and be aware state files may contain trading/account state; run in a constrained environment (dedicated user, container) and protect those files.
What to consider before installing
This package appears to be a real Bybit futures trading bot, but the registry metadata is incomplete: the code expects BYBIT_API_KEY and BYBIT_API_SECRET (and optional TG_BOT_TOKEN/TG_CHAT_ID) even though the skill declares no required env vars. Before installing: 1) Do not run it as root — create a dedicated user or container and avoid using /root paths from the README; 2) Only use API keys with contract/trading permissions and explicitly disable withdrawal/asset permissions; 3) Test on Bybit testnet first and review config.py to ensure no secrets are hard-coded; 4) Review the code yourself (or have someone audit it) — network endpoints used are Bybit (ccxt) and Telegram (api.telegram.org), which is expected, but confirm there are no other hidden endpoints; 5) Protect the state/log files (they contain positions and may be sensitive); 6) If you plan to run long-term, consider limiting API key scopes, rotating keys, and running inside an isolated environment. The main immediate issue is the metadata omission of required credentials — ask the publisher to correct the registry fields or treat the skill as requiring manual secret provisioning before use.

Like a lobster shell, security has layers — review code before you run it.

Current versionv1.1.0
Download zip
latestvk978gk3fgpxec9n88c3b4vtex181c906

License

MIT-0
Free to use, modify, and redistribute. No attribution required.
Termshttps://spdx.org/licenses/MIT-0.html

SKILL.md

Bybit Futures Trading System

Complete trading infrastructure for Bybit USDT perpetual futures contracts.

Quick Start

  1. Install dependencies: pip install ccxt websockets numpy requests
  2. Copy scripts/config_template.pyconfig.py, fill in API keys
  3. Run paper trading: python scripts/paper_trading_ws.py
  4. When validated, switch to live: python scripts/live_trading.py

Architecture

config.py          ← API keys + risk parameters
risk_manager.py    ← Position sizing, daily loss limits, max positions
paper_trading_ws.py ← WebSocket real-time paper trading
live_trading.py    ← Live execution (same logic, real orders)
backtest.py        ← Historical backtesting engine

Risk Management

All trades enforced by risk_manager.py:

  • Max position: configurable % of capital per trade (default 20%)
  • Max leverage: configurable (default 5x)
  • Stop loss: automatic per-trade (default 3%)
  • Take profit: automatic per-trade (default 6%, 2:1 R/R)
  • Daily loss limit: halt trading after X% daily drawdown (default 10%)
  • Max concurrent positions: configurable (default 3)

Included Strategies

EMA Crossover (ETH)

  • EMA(12) crosses above EMA(26) → long
  • EMA(12) crosses below EMA(26) → short
  • Best on: ETH/USDT 1h timeframe

RSI Mean Reversion (SOL, HYPE, PEPE)

  • RSI(14) crosses up from below 30 → long
  • RSI(14) crosses down from above 70 → short
  • Best on: SOL, HYPE (73% WR), 1000PEPE (53% WR) 1h timeframe
  • Backtested: HYPE +$339, PEPE +$210 on 90-day 1h data

Custom Strategy Template

See references/custom_strategy.md for adding your own signals.

WebSocket Real-Time Engine

The paper/live trading engine uses Bybit's WebSocket v5 API:

  • Ticker subscription: millisecond-level price updates for SL/TP
  • Kline subscription: signal calculation on candle close only
  • Auto-reconnect: 5s retry on disconnect
  • State persistence: saves every 5 minutes to JSON

Deployment

Recommended: systemd service on a VPS.

# Create service file
sudo tee /etc/systemd/system/paper-trading.service << 'EOF'
[Unit]
Description=Paper Trading Bot (WebSocket)
After=network.target

[Service]
Type=simple
WorkingDirectory=/root/trading
ExecStart=/usr/bin/python3 paper_trading_ws.py
Restart=always
RestartSec=10

[Install]
WantedBy=multi-user.target
EOF

sudo systemctl enable --now paper-trading

Telegram Notifications

Built-in Telegram push for all events:

  • Position opened/closed
  • Stop loss / take profit hit
  • 6-hourly summary reports
  • Error alerts

Set TG_BOT_TOKEN and TG_CHAT_ID in config.

Files

  • scripts/config_template.py — Configuration template
  • scripts/risk_manager.py — Risk management engine
  • scripts/paper_trading_ws.py — WebSocket paper trading bot
  • scripts/live_trading.py — Live trading bot
  • scripts/backtest.py — Backtesting engine
  • references/custom_strategy.md — Guide for adding custom strategies
  • references/bybit_api_notes.md — Bybit API gotchas and tips

Files

8 total
Select a file
Select a file to preview.

Comments

Loading comments…