ClawHub
Skill flagged — suspicious patterns detected

ClawHub Security flagged this skill as suspicious. Review the scan results before using.

Aster Futures

v0.1.1

Aster Futures request using the Aster API. Authentication uses EIP-712 ECDSA signing with API wallet. Supports mainnet.

0· 372·0 current·0 all-time
bya@yuandiaodiaodiao
Security Scan
VirusTotalVirusTotal
Suspicious
View report →
OpenClawOpenClaw
Suspicious
high confidence
!
Purpose & Capability
The skill's stated purpose (placing and querying futures orders via Aster's API) legitimately requires EIP-712 signing and access to an API wallet private key. However, the registry metadata declares no required environment variables or primary credential even though the included authentication reference and examples explicitly use SIGNER_PRIVATE_KEY and wallet addresses. That mismatch (needing a private key but not declaring how it will be supplied) is incoherent and disproportionate.
!
Instruction Scope
SKILL.md and references/authentication.md instruct the agent to call fapi.asterdex.com endpoints, use curl/jq for data extraction, and perform EIP-712 signing. The authentication doc includes a Python example that embeds SIGNER_PRIVATE_KEY and demonstrates signing and posting orders (including placing/cancelling orders and 'cancel all' operations). The instructions do not specify how the agent should obtain/store the private key (env var, secure vault, user prompt), nor do they constrain when trade-affecting endpoints can be used. That lack of specification expands the agent's discretion and could lead to accidental or unauthorized use of high-privilege operations.
Install Mechanism
This is an instruction-only skill with no install spec and no code files to write to disk, which minimizes install-surface risk.
!
Credentials
The skill requires signing with an API wallet private key to perform trading (highly sensitive). Yet the package metadata lists no required env vars, no primary credential, and no required config paths. There is no guidance in metadata about required secret scope or least-privilege credentials. The endpoints documented include destructive actions (placing orders, cancel all open orders), so requesting full private-key signing capability is high privilege and should have been explicitly declared and scoped.
Persistence & Privilege
The skill is not marked always:true; it is user-invocable and allows model invocation (default). That means if the agent is given credentials it could act autonomously and place/cancel trades. Autonomous invocation alone is normal for skills, but combined with the missing credential declaration and high-privilege trading endpoints this increases the blast radius — the skill should document explicit runtime approval flows and credential handling.
What to consider before installing
This skill is 'suspicious' because it needs your API wallet private key to sign trade requests but does not declare how it will get or store that secret. Before installing or using it: 1) Do not paste your main wallet private key into chat or into the agent; prefer a dedicated API key/wallet with minimal permissions. 2) Ask the author how credentials are provided (env vars, vault, or interactive prompt) and request explicit metadata declaring required env vars. 3) If you must test, use a testnet or a dedicated account with zero funds and IP/permission restrictions. 4) Disable autonomous invocation (or require manual approval) so the agent cannot place or cancel orders without your explicit confirmation. 5) Prefer a signing workflow that uses remote/hardware signing or a short-lived delegated credential rather than exposing raw private keys.

Like a lobster shell, security has layers — review code before you run it.

latestvk97b99qbhpv13bmeqj3ee44ns1827hnz
372downloads
0stars
2versions
Updated 7h ago
v0.1.1
MIT-0
a@yuandiaodiaodiao
latest
Download

Aster Futures Skill

Futures request on Aster using authenticated API endpoints. Authentication uses EIP-712 ECDSA signing with API wallet (main wallet + signer wallet). Return the result in JSON format.

Data Fetching Guidelines (CRITICAL)

NEVER truncate JSON responses with head -c, head -n, or similar — truncated JSON is corrupted and will produce wrong results.

Mandatory Rules

  1. Always specify symbol parameter when querying a specific trading pair. Many endpoints return ALL symbols when symbol is omitted, producing responses of 100KB+.
  2. Always use limit parameter to constrain result size. Use the smallest limit that satisfies the request (e.g., limit=5 instead of default 500).
  3. Use jq to extract fields — never parse raw mega-JSON visually. Pipe through jq to select only needed data.

Progressive Data Exploration Strategy

When the user asks a broad question (e.g., "what futures are available?"), use a layered approach:

  1. Step 1 — Get lightweight summary first:

    # Get just the symbol list, not full exchangeInfo
curl -s "https://fapi.asterdex.com/fapi/v3/exchangeInfo" | jq '[.symbols[].symbol]'

  2. Step 2 — Confirm scope with user before fetching detailed data for many symbols.

  3. Step 3 — Fetch details for specific symbols only:

    # Get price for ONE symbol, not all
curl -s "https://fapi.asterdex.com/fapi/v3/ticker/price?symbol=BTCUSDT"

Endpoints That Return Dangerously Large Data (without symbol filter)

EndpointWithout symbolWith symbol
/fapi/v3/exchangeInfoALL symbols + filters (100KB+)N/A — use jq to filter
/fapi/v3/ticker/24hrALL symbols (50KB+)Single object (~500B)
/fapi/v3/ticker/priceALL symbols (10KB+)Single object (~80B)
/fapi/v3/ticker/bookTickerALL symbols (20KB+)Single object (~150B)
/fapi/v3/premiumIndexALL symbols (30KB+)Single object (~300B)
/fapi/v3/depthN/A (symbol required)Varies by limit: use limit=5 for overview
/fapi/v3/klinesN/A (symbol required)Default 500 candles — always set limit
/fapi/v3/tradesN/A (symbol required)Default 500 trades — always set limit

Example: Safe vs Unsafe

# BAD — returns ALL symbols, then truncates = corrupted JSON
curl -s ".../fapi/v3/ticker/price" | head -c 5000

# GOOD — returns single symbol, complete JSON
curl -s ".../fapi/v3/ticker/price?symbol=BTCUSDT"

# BAD — 500 candles by default
curl -s ".../fapi/v3/klines?symbol=BTCUSDT&interval=1h"

# GOOD — only 5 candles
curl -s ".../fapi/v3/klines?symbol=BTCUSDT&interval=1h&limit=5"

# GOOD — extract just symbol names from exchangeInfo
curl -s ".../fapi/v3/exchangeInfo" | jq '[.symbols[] | {symbol, status}]'

Quick Reference

EndpointDescriptionRequiredOptionalAuthentication
/fapi/v3/ping (GET)Test connectivityNoneNoneNo
/fapi/v3/time (GET)Check server timeNoneNoneNo
/fapi/v3/exchangeInfo (GET)Exchange informationNoneNoneNo
/fapi/v3/depth (GET)Order booksymbollimitNo
/fapi/v3/trades (GET)Recent trades listsymbollimitNo
/fapi/v3/historicalTrades (GET)Old trades lookupsymbollimit, fromIdYes
/fapi/v3/aggTrades (GET)Compressed/Aggregate trades listsymbolfromId, startTime, endTime, limitNo
/fapi/v3/klines (GET)Kline/Candlestick datasymbol, intervalstartTime, endTime, limitNo
/fapi/v3/indexPriceKlines (GET)Index price kline datapair, intervalstartTime, endTime, limitNo
/fapi/v3/markPriceKlines (GET)Mark price kline datasymbol, intervalstartTime, endTime, limitNo
/fapi/v3/premiumIndex (GET)Mark price and funding rateNonesymbolNo
/fapi/v3/fundingRate (GET)Funding rate historyNonesymbol, startTime, endTime, limitNo
/fapi/v3/ticker/24hr (GET)24hr ticker price change statisticsNonesymbolNo
/fapi/v3/ticker/price (GET)Symbol price tickerNonesymbolNo
/fapi/v3/ticker/bookTicker (GET)Symbol order book tickerNonesymbolNo
/fapi/v3/order (POST)New ordersymbol, side, type, timestamppositionSide, timeInForce, quantity, reduceOnly, price, newClientOrderId, stopPrice, closePosition, activationPrice, callbackRate, workingType, priceProtect, newOrderRespType, recvWindowYes
/fapi/v3/batchOrders (POST)Place multiple ordersbatchOrders, timestamprecvWindowYes
/fapi/v3/order (GET)Query ordersymbol, timestamporderId, origClientOrderId, recvWindowYes
/fapi/v3/order (DELETE)Cancel ordersymbol, timestamporderId, origClientOrderId, recvWindowYes
/fapi/v3/allOpenOrders (DELETE)Cancel all open orderssymbol, timestamprecvWindowYes
/fapi/v3/batchOrders (DELETE)Cancel multiple orderssymbol, timestamporderIdList, origClientOrderIdList, recvWindowYes
/fapi/v3/countdownCancelAll (POST)Auto-cancel all open orders (countdown)symbol, countdownTime, timestamprecvWindowYes
/fapi/v3/openOrder (GET)Query current open ordersymbol, timestamporderId, origClientOrderId, recvWindowYes
/fapi/v3/openOrders (GET)Current all open orderstimestampsymbol, recvWindowYes
/fapi/v3/allOrders (GET)All orderssymbol, timestamporderId, startTime, endTime, limit, recvWindowYes
/fapi/v3/balance (GET)Futures account balancetimestamprecvWindowYes
/fapi/v3/account (GET)Account informationtimestamprecvWindowYes
/fapi/v3/leverage (POST)Change initial leveragesymbol, leverage, timestamprecvWindowYes
/fapi/v3/marginType (POST)Change margin typesymbol, marginType, timestamprecvWindowYes
/fapi/v3/positionMargin (POST)Modify isolated position marginsymbol, amount, type, timestamppositionSide, recvWindowYes
/fapi/v3/positionMargin/history (GET)Position margin change historysymbol, timestamptype, startTime, endTime, limit, recvWindowYes
/fapi/v3/positionRisk (GET)Position informationtimestampsymbol, recvWindowYes
/fapi/v3/positionSide/dual (POST)Change position modedualSidePosition, timestamprecvWindowYes
/fapi/v3/positionSide/dual (GET)Get current position modetimestamprecvWindowYes
/fapi/v3/multiAssetsMargin (POST)Change multi-assets modemultiAssetsMargin, timestamprecvWindowYes
/fapi/v3/multiAssetsMargin (GET)Get current multi-assets modetimestamprecvWindowYes
/fapi/v3/asset/wallet/transfer (POST)Transfer between futures and spotamount, asset, clientTranId, kindType, timestampNoneYes
/fapi/v3/userTrades (GET)Account trade listsymbol, timestampstartTime, endTime, fromId, limit, recvWindowYes
/fapi/v3/income (GET)Get income historytimestampsymbol, incomeType, startTime, endTime, limit, recvWindowYes
/fapi/v3/leverageBracket (GET)Notional and leverage bracketstimestampsymbol, recvWindowYes
/fapi/v3/adlQuantile (GET)Position ADL quantile estimationtimestampsymbol, recvWindowYes
/fapi/v3/forceOrders (GET)User's force orderstimestampsymbol, autoCloseType, startTime, endTime, limit, recvWindowYes
/fapi/v3/commissionRate (GET)User commission ratesymbol, timestamprecvWindowYes
/fapi/v3/listenKey (POST)Start user data streamNoneNoneYes
/fapi/v3/listenKey (PUT)Keepalive user data streamNoneNoneYes
/fapi/v3/listenKey (DELETE)Close user data streamNoneNoneYes
GET /bapi/futures/v1/public/future/aster/deposit/assetsGet all deposit assetschainIds, accountTypenetworksNo
GET /bapi/futures/v1/public/future/aster/withdraw/assetsGet all withdraw assetschainIds, accountTypenetworksNo
GET /bapi/futures/v1/public/future/aster/estimate-withdraw-feeEstimate withdraw feechainId, network, currency, accountTypeNoneNo
POST /fapi/aster/user-withdrawWithdraw by API (EVM Futures)chainId, asset, amount, fee, receiver, nonce, userSignature, timestamp, signaturerecvWindowYes
POST /fapi/aster/user-solana-withdrawWithdraw by API (Solana Futures)chainId, asset, amount, fee, receiver, timestamp, signaturerecvWindowYes

Parameters

Common Parameters

  • symbol: Trading pair symbol (e.g., BTCUSDT)
  • pair: Trading pair for index price endpoints (e.g., BTCUSDT)
  • side: Order side BUY or SELL
  • type: Order type (LIMIT, MARKET, STOP, STOP_MARKET, TAKE_PROFIT, TAKE_PROFIT_MARKET, TRAILING_STOP_MARKET)
  • positionSide: Position side; default BOTH for One-way Mode; LONG/SHORT for Hedge Mode
  • timeInForce: Time in force (GTC, IOC, FOK, GTX)
  • quantity: Order quantity (e.g., 0.1)
  • price: Order price (e.g., 50000)
  • stopPrice: Stop price for STOP/STOP_MARKET/TAKE_PROFIT/TAKE_PROFIT_MARKET orders
  • closePosition: Close-All flag; "true" or "false"; cannot be used with quantity
  • activationPrice: Activation price for TRAILING_STOP_MARKET orders
  • callbackRate: Callback rate for TRAILING_STOP_MARKET; range 0.1-5
  • workingType: Stop price trigger type; "MARK_PRICE" or "CONTRACT_PRICE"
  • priceProtect: Price protection flag; "TRUE" or "FALSE"
  • reduceOnly: Reduce-only flag; default "false"
  • newClientOrderId: Unique client order ID
  • newOrderRespType: Response type; "ACK" or "RESULT"
  • orderId: Order ID (e.g., 22542179)
  • origClientOrderId: Original client order ID
  • orderIdList: List of order IDs to cancel (max 10)
  • origClientOrderIdList: List of client order IDs to cancel (max 10)
  • batchOrders: List of order objects (max 5)
  • countdownTime: Countdown time in milliseconds; set to 0 to cancel countdown
  • leverage: Leverage value; range 1-125
  • marginType: Margin type; ISOLATED or CROSSED
  • amount: Margin amount for position margin modification
  • dualSidePosition: Position mode; "true" = Hedge Mode; "false" = One-way Mode
  • multiAssetsMargin: Multi-assets mode; "true" = Multi-Assets Mode; "false" = Single-Asset Mode
  • asset: Asset name (e.g., USDT)
  • clientTranId: Client transfer ID (unique within 7 days)
  • kindType: Transfer direction; FUTURE_SPOT or SPOT_FUTURE
  • incomeType: Income type filter (TRANSFER, WELCOME_BONUS, REALIZED_PNL, FUNDING_FEE, COMMISSION, INSURANCE_CLEAR, MARKET_MERCHANT_RETURN_REWARD)
  • autoCloseType: Force order type; LIQUIDATION or ADL
  • fromId: ID to get trades from INCLUSIVE (e.g., 1)
  • startTime: Timestamp in ms to filter from INCLUSIVE (e.g., 1735693200000)
  • endTime: Timestamp in ms to filter until INCLUSIVE (e.g., 1735693200000)
  • limit: Result limit; varies per endpoint (e.g., 500)
  • interval: Kline interval (e.g., 1h)
  • recvWindow: Request validity window; cannot be greater than 60000 (e.g., 5000)
  • timestamp: Request timestamp in milliseconds (e.g., 1735693200000)
  • chainIds: Chain ID(s), comma-separated (for deposit/withdraw asset queries)
  • chainId: Chain ID (for withdraw operations)
  • networks: Network type (EVM, SOLANA), comma-separated
  • network: Network type (EVM, SOL)
  • currency: Currency name (e.g., ASTER)
  • accountType: Account type (spot, perp)
  • fee: Withdraw fee in token units
  • receiver: Receipt address for withdrawals
  • nonce: Unique number for signing (microsecond timestamp for API auth; milliseconds x 1000 for EIP712 withdraw)
  • userSignature: EIP712 signature for EVM withdrawals
  • signature: ECDSA API signature

Enums

  • side: BUY | SELL
  • positionSide: BOTH | LONG | SHORT
  • type (order): LIMIT | MARKET | STOP | STOP_MARKET | TAKE_PROFIT | TAKE_PROFIT_MARKET | TRAILING_STOP_MARKET
  • timeInForce: GTC | IOC | FOK | GTX
  • workingType: MARK_PRICE | CONTRACT_PRICE
  • marginType: ISOLATED | CROSSED
  • newOrderRespType: ACK | RESULT
  • interval: 1m | 3m | 5m | 15m | 30m | 1h | 2h | 4h | 6h | 8h | 12h | 1d | 3d | 1w | 1M
  • orderStatus: NEW | PARTIALLY_FILLED | FILLED | CANCELED | REJECTED | EXPIRED
  • contractStatus: PENDING_TRADING | TRADING | PRE_SETTLE | SETTLING | CLOSE
  • incomeType: TRANSFER | WELCOME_BONUS | REALIZED_PNL | FUNDING_FEE | COMMISSION | INSURANCE_CLEAR | MARKET_MERCHANT_RETURN_REWARD
  • autoCloseType: LIQUIDATION | ADL
  • kindType: FUTURE_SPOT | SPOT_FUTURE
  • positionMarginType: 1 (add margin) | 2 (reduce margin)

Authentication

For endpoints that require authentication, you will need to provide Aster API credentials. Required credentials:

  • Main Wallet Address (user): Your Aster main wallet address
  • API Wallet Address (signer): Your API wallet address (obtained via Pro API registration at asterdex.com)
  • API Wallet Private Key: Your API wallet private key (for ECDSA signing)

Base URLs:

See references/authentication.md for implementation details.

Security

Share Credentials

Users can provide Aster API credentials by sending a file where the content is in the following format:

0x1234...abcd
0x5678...efgh
private_key_hex...

Line 1: Main wallet address (user) Line 2: API wallet address (signer) Line 3: API wallet private key

Never Display Full Secrets

When showing credentials to users:

  • Main Wallet: Show first 6 + last 4 characters: 0x1234...abcd
  • API Wallet: Show first 6 + last 4 characters: 0x5678...efgh
  • Private Key: Always mask, show only last 5: ***...f1a2b

Example response when asked for credentials: Account: main Main Wallet: 0x1234...abcd API Wallet: 0x5678...efgh Private Key: ***...f1a2b Environment: Mainnet

Listing Accounts

When listing accounts, show names and environment only -- never keys: Aster Accounts:

  • main (Mainnet)
  • trading-01 (Mainnet)
  • arb-bot (Mainnet)

Transactions in Mainnet

When performing transactions in mainnet, always confirm with the user before proceeding by asking them to write "CONFIRM" to proceed.

Aster Accounts

main

  • Main Wallet: your_main_wallet_address
  • API Wallet: your_api_wallet_address
  • Private Key: your_api_wallet_private_key
  • Description: Primary trading account

TOOLS.md Structure

## Aster Accounts

### main
- Main Wallet: 0x1234...abcd
- API Wallet: 0x5678...efgh
- Private Key: private_key_hex...
- Description: Primary trading account

### trading-01
- Main Wallet: 0xaaaa...1111
- API Wallet: 0xbbbb...2222
- Private Key: private_key_hex...
- Description: Automated trading

### arb-bot
- Main Wallet: 0xcccc...3333
- API Wallet: 0xdddd...4444
- Private Key: private_key_hex...
- Description: Arbitrage bot account

Agent Behavior

  1. Credentials requested: Mask private keys (show last 5 chars only), mask wallet addresses (show first 6 + last 4)
  2. Listing accounts: Show names and environment, never keys
  3. Account selection: Ask if ambiguous, default to main
  4. When doing a transaction in mainnet, confirm with user before by asking to write "CONFIRM" to proceed
  5. New credentials: Prompt for name, main wallet, API wallet, private key

Adding New Accounts

When user provides new credentials:

  • Ask for account name
  • Ask for main wallet address (user)
  • Ask for API wallet address (signer)
  • Ask for API wallet private key
  • Store in TOOLS.md with masked display confirmation

Signing Requests

All authenticated endpoints require EIP-712 ECDSA signature:

  1. Collect all API parameters as key-value pairs (all values as strings)
  2. Sort parameters by ASCII key order
  3. Combine sorted parameters with user (main wallet address), signer (API wallet address), and nonce (microsecond timestamp) using Web3 ABI encoding
  4. Generate Keccak256 hash of the ABI-encoded data
  5. Sign the hash with the API wallet's private key via ECDSA
  6. Include user, signer, nonce, and signature in the request
  7. Timestamp must be current milliseconds; request valid within recvWindow (default 5000ms)

See references/authentication.md for implementation details.

Comments

Loading comments...