Skill flagged — suspicious patterns detected
ClawHub Security flagged this skill as suspicious. Review the scan results before using.
KryptoGO Meme Trader
v2.5.6Analyze and trade meme coins using KryptoGO's on-chain cluster analysis platform. Covers wallet clustering, address labels, accumulation/distribution detecti...
⭐ 2· 614·1 current·1 all-time
byHarry Chen@a00012025
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
OpenClaw
Benign
high confidencePurpose & Capability
The skill claims to analyze on-chain signals and execute Solana trades. The required env vars (KRYPTOGO_API_KEY, SOLANA_PRIVATE_KEY, SOLANA_WALLET_ADDRESS), the network host (wallet-data.kryptogo.app), and binaries (python3, pip, openclaw) are appropriate and expected for on-chain analysis, building/signing transactions locally, and scheduling cron jobs via OpenClaw. No unrelated cloud credentials or extraneous services are requested.
Instruction Scope
SKILL.md and the scripts limit network calls to the KryptoGO API domain and instruct the agent to source the workspace .env for credentials. Runtime scripts rely on environment variables (not arbitrary file reads) except for scripts/setup.py which explicitly reads/writes ~/.openclaw/workspace/.env for initial keypair generation/repair (documented in the skill). Cron scripts, monitor, swap, and reporting scripts operate on the declared workspace paths and memory journal files only.
Install Mechanism
There is no external download/install URL; required Python packages (solders, requests) are installed via pip by the included setup.py script. The approach is typical for a Python-based skill. No suspicious remote archives, URL shorteners, or personal servers are used in the install steps shown.
Credentials
The skill requires the private key (SOLANA_PRIVATE_KEY) as an env var and writes/reads ~/.openclaw/workspace/.env during setup. This is proportionate to a local-signing trading agent, but it is high privilege: anyone who supplies the private key to the environment grants the skill full signing ability for that wallet. The skill states it will not exfiltrate keys and that only setup.py touches .env; that is consistent in the code. Users should treat the requested private key as highly sensitive.
Persistence & Privilege
The skill requests write access to the workspace .env and memory directory to persist credentials and trading journals (expected). It does not set always:true and defaults to supervised mode with autonomous trading opt-in. Allowing the agent to run autonomously (platform default) combined with an exposed private key could increase risk, but the skill documents and implements trade confirmations by default.
Assessment
This skill is internally consistent with its trading purpose, but it operates on highly sensitive secrets (your Solana private key) and can install Python packages. Before installing or using it: 1) Only use a dedicated, low-value wallet for this agent; never use a wallet with large balances. 2) Review scripts/setup.py and the examples/trading-workflow.py yourself to confirm there is no unexpected behavior (especially any code that would send secrets to external endpoints). 3) Keep KRYPTOGO_API_KEY and SOLANA_PRIVATE_KEY in ~/.openclaw/workspace/.env with permissions 600 and always source that file locally rather than pasting secrets into chat. 4) Keep autonomous trading disabled unless you fully trust the code and the API host; use supervised mode and manual confirmations by default. 5) Verify the API base (wallet-data.kryptogo.app) and the homepage before funding the agent wallet. If you want extra assurance, audit the full trading-workflow.py and the portions of code that call external endpoints and sign/submit transactions.Like a lobster shell, security has layers — review code before you run it.
cryptovk97ed1hfhh70t8ss5dkmtg1j69827f6rdefivk97ed1hfhh70t8ss5dkmtg1j69827f6rlatestvk97ed1hfhh70t8ss5dkmtg1j69827f6rmemevk97ed1hfhh70t8ss5dkmtg1j69827f6rsolanavk97ed1hfhh70t8ss5dkmtg1j69827f6rtradingvk97ed1hfhh70t8ss5dkmtg1j69827f6r
License
MIT-0
Free to use, modify, and redistribute. No attribution required.
Runtime requirements
Binspython3, pip, openclaw
EnvKRYPTOGO_API_KEY, SOLANA_PRIVATE_KEY, SOLANA_WALLET_ADDRESS