Maxxit Lazy Trader
WarnAudited by ClawScan on May 10, 2026.
Overview
This is a real trading skill, but it can place leveraged financial trades using account credentials, and the artifacts show weak safety/metadata boundaries plus a hardcoded broker login key indicator.
Install only if you intentionally want agent-assisted trading. Use small limits or testnet first, require manual confirmation for trades, verify MAXXIT_API_URL and any Zerodha/Kite login details, use revocable API keys, and monitor or clear the workspace logs/state between runs.
Findings (7)
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
If run by an agent or automation, it could commit a large share of the user's funds to leveraged long or short positions, causing real financial loss.
The script can derive a signal and submit an open-position request using 10x leverage and up to 80% of available balance by default, without a separate confirmation step inside the script.
parser.add_argument("--leverage", type=int, default=10, ...); parser.add_argument("--utilization", type=float, default=0.8, ...); ... "collateral": round(collateral, 2), "leverage": LEVERAGERequire explicit user confirmation for each trade, default to dry-run or testnet, cap leverage/collateral, and document how to stop or revoke automated strategies.
A user could be directed through a fixed broker application or wallet-linked login flow without clearly understanding whose app/account linkage is being used.
The static scan found a hardcoded Zerodha/Kite login URL containing an api_key parameter and a fixed wallet redirect parameter in the skill documentation.
"login_url": "https://kite.zerodha.com/connect/login?api_key=[REDACTED]&v=3&redirect_params=userWallet%3D0x796a837c78326ba693847deebd7811d6b6854c56"
Remove hardcoded broker login credentials or wallet parameters; require user-specific configuration and clearly show the Kite app ID and redirect wallet before login.
Anyone or anything that can use this key may be able to view balances/positions and execute trades through the Maxxit API.
The scripts authenticate to the Maxxit trading API with a user-provided API key, which is expected for this skill but gives access to sensitive trading actions.
MAXXIT_API_KEY = os.environ.get("MAXXIT_API_KEY") ... session.headers.update({"X-API-KEY": MAXXIT_API_KEY, "Content-Type": "application/json"})Use a restricted, revocable API key if available; verify MAXXIT_API_URL is the intended Maxxit domain; revoke the key if the skill behaves unexpectedly.
Install-time metadata may not adequately warn users that the skill needs a trading API key and can execute financial transactions.
The registry metadata under-declares the required trading credential and capability compared with SKILL.md and the Python files.
Required env vars: none ... Primary credential: none ... Capability signals: No capability tags were derived.
Update registry metadata to declare MAXXIT_API_KEY, MAXXIT_API_URL, trading/account-access capabilities, and any model-invocation restrictions.
Prior strategy state or logs can carry across runs and may reveal trading activity or influence later automated decisions.
The strategy helpers persist per-venue/per-symbol state and logs in the OpenClaw workspace.
BASE_DIR = "/home/ubuntu/.openclaw/workspace" ... "state_file": os.path.join(BASE_DIR, f"{venue}_{base.lower()}_{safe_strategy}_state.json") ... LOG_DIR = os.path.join(BASE_DIR, "logs")Review and clear workspace state/logs when changing strategies, symbols, or users; avoid storing credentials in logs.
Bad, stale, or manipulated signals from another trader/agent could be copied into real leveraged positions.
The skill's documented scope includes copy-trading, which can propagate another trader's or agent's actions into the user's own account.
User wants to copy-trade or mirror another trader's positions
Use copy-trading only with explicit source review, position-size limits, stop-loss rules, and manual confirmation for high-value trades.
Users have less assurance that the package is the official Maxxit skill before granting it trading credentials.
The artifact set provides code but does not establish a verified source or install provenance, which matters more for a financial trading integration.
Source: unknown ... No install spec — this is an instruction-only skill.
Verify the publisher, homepage, and GitHub/source package before installation, especially before setting real trading credentials.