ClawHub
Skill flagged — suspicious patterns detected

ClawHub Security flagged this skill as suspicious. Review the scan results before using.

OpenMM Exchange Setup

v0.1.0

Step-by-step guide to configure exchange API credentials for OpenMM.

0· 394·1 current·1 all-time
byAngelos Kappos@adacapo21
Security Scan
VirusTotalVirusTotal
Suspicious
View report →
OpenClawOpenClaw
Benign
medium confidence
Purpose & Capability
Name/description (OpenMM exchange setup) aligns with required binary 'openmm' and the npm install of @3rd-eye-labs/openmm which provides that binary. Required env vars and CLI commands in SKILL.md are appropriate for configuring exchange API keys.
Instruction Scope
The SKILL.md stays within the setup/troubleshooting scope (creating keys, exporting env vars, testing balance/ticker calls). However, it includes an example that embeds API keys directly in an MCP client JSON (risk of accidental commit/exposure) and recommends running system commands like 'sudo ntpdate' (a privileged action) without guidance on safer alternatives. The instructions do not request unrelated files or credentials.
Install Mechanism
Install uses an npm scoped package (@3rd-eye-labs/openmm) that creates an 'openmm' binary. npm installs are a common, traceable choice but carry moderate risk because package contents and publisher trust matter; there are no code files in the skill to review and no authoritative upstream URL provided in metadata.
Credentials
The environment variables the skill asks you to set are exactly the exchange API keys/passphrases needed for the supported exchanges. That is proportionate. Caution: the skill's examples show placing secrets in a JSON config, which increases risk of leakage if the file is committed or shared.
Persistence & Privilege
Skill does not request elevated privileges, does not set always:true, and asks for no system config paths. No persistent or privileged system changes are requested in the instructions.
Assessment
This skill is coherent for configuring OpenMM exchange credentials, but take these precautions before installing or using it: 1) Verify the npm package publisher and inspect the package (or its repository) before installing globally; do not blindly trust a scoped package without checking its source. 2) Prefer storing keys in a secure secret manager or environment variables rather than embedding them in JSON config files; never commit files containing keys. 3) Use least-privilege API keys (disable withdrawals, restrict to required permissions, and use IP whitelisting). 4) For troubleshooting commands that require privileges (e.g., 'sudo ntpdate'), prefer safer, documented time-sync methods for your OS and avoid running privileged commands without understanding them. 5) Test with low-value accounts/keys first and rotate keys after use. If you can provide the package repository or a link to the npm page for @3rd-eye-labs/openmm, I can raise or lower my confidence and re-evaluate the install risk.

Like a lobster shell, security has layers — review code before you run it.

Runtime requirements

🔑 Clawdis
Binsopenmm

Install

Node
Bins: openmm
npm i -g @3rd-eye-labs/openmm
exchangesvk97cjrmtrms8y4bs6y8qa0qkes81vmm7latestvk97cjrmtrms8y4bs6y8qa0qkes81vmm7openmmvk97cjrmtrms8y4bs6y8qa0qkes81vmm7setupvk97cjrmtrms8y4bs6y8qa0qkes81vmm7
394downloads
0stars
1versions
Updated 7h ago
v0.1.0
MIT-0
Angelos Kappos@adacapo21
exchangeslatestopenmmsetup
Download

OpenMM Exchange Setup

Interactive guide for configuring exchange API credentials in OpenMM.

When to Use

Use this skill when:

  • Setting up OpenMM for the first time
  • Adding a new exchange
  • Troubleshooting connection issues

Supported Exchanges

ExchangeMin OrderCredentials Required
MEXC1 USDTAPI key + Secret
Gate.io1 USDTAPI key + Secret
Bitget1 USDTAPI key + Secret + Passphrase
Kraken5 EUR/USDAPI key + Secret

Setup Workflow

Step 1: Create API Keys

Guide user to the exchange's API management page:

MEXC:    https://www.mexc.com/ucenter/api
Gate.io: https://www.gate.io/myaccount/apikeys
Kraken:  https://www.kraken.com/u/security/api
Bitget:  https://www.bitget.com/account/newapi

Step 2: Configure Permissions

Required permissions for each exchange:

MEXC:

  • Enable Spot Trading
  • Enable Reading
  • Disable Withdrawals (safety)
  • IP whitelist recommended

Gate.io:

  • Spot Trade
  • Spot Read
  • No Withdraw permission
  • IP whitelist recommended

Kraken:

  • Query Funds
  • Query Open Orders & Trades
  • Create & Modify Orders
  • No Withdraw permission

Bitget:

  • Trade
  • Read Only
  • No Transfer permission
  • Note the Passphrase — it is set when creating the API key

Step 3: Set Environment Variables

OpenMM uses environment variables for credentials. Add them to your .env file or export in your shell:

# MEXC
export MEXC_API_KEY="your_mexc_api_key"
export MEXC_SECRET="your_mexc_secret_key"

# Gate.io
export GATEIO_API_KEY="your_gateio_api_key"
export GATEIO_SECRET="your_gateio_secret_key"

# Bitget (requires passphrase)
export BITGET_API_KEY="your_bitget_api_key"
export BITGET_SECRET="your_bitget_secret_key"
export BITGET_PASSPHRASE="your_bitget_passphrase"

# Kraken
export KRAKEN_API_KEY="your_kraken_api_key"
export KRAKEN_SECRET="your_kraken_secret_key"

Or create a .env file in the project root:

MEXC_API_KEY=your_mexc_api_key
MEXC_SECRET=your_mexc_secret_key
GATEIO_API_KEY=your_gateio_api_key
GATEIO_SECRET=your_gateio_secret_key
BITGET_API_KEY=your_bitget_api_key
BITGET_SECRET=your_bitget_secret_key
BITGET_PASSPHRASE=your_bitget_passphrase
KRAKEN_API_KEY=your_kraken_api_key
KRAKEN_SECRET=your_kraken_secret_key

Step 4: Verify Connection

Test that credentials work by checking balances:

# MEXC
openmm balance --exchange mexc

# Gate.io
openmm balance --exchange gateio

# Bitget
openmm balance --exchange bitget

# Kraken
openmm balance --exchange kraken

Step 5: Test Market Data

Confirm market data access:

openmm ticker --exchange mexc --symbol BTC/USDT
openmm orderbook --exchange kraken --symbol ADA/EUR --limit 5

MCP Server Setup

To use OpenMM as an MCP server, add to your MCP client config:

{
  "mcpServers": {
    "openmm": {
      "command": "npx",
      "args": ["@qbtlabs/openmm-mcp"],
      "env": {
        "MEXC_API_KEY": "your_key",
        "MEXC_SECRET": "your_secret",
        "KRAKEN_API_KEY": "your_key",
        "KRAKEN_SECRET": "your_secret"
      }
    }
  }
}

Only include env vars for exchanges you want to use.

Troubleshooting

"credentials not found"

  • Verify environment variables are set: echo $MEXC_API_KEY
  • Check .env file is in the correct directory
  • Ensure variable names match exactly (e.g. MEXC_SECRET not MEXC_SECRET_KEY)

"credentials validation failed" (Bitget)

  • Verify all three vars: BITGET_API_KEY, BITGET_SECRET, BITGET_PASSPHRASE
  • The passphrase is set when creating the API key on Bitget

"authentication failed" (Kraken)

  • Verify KRAKEN_API_KEY and KRAKEN_SECRET
  • Check key permissions on Kraken API settings page

"Timestamp Error"

  • System clock may be out of sync
  • Run: sudo ntpdate time.google.com

"Rate Limited"

  • Reduce request frequency
  • Check exchange's rate limit docs

Security Best Practices

  1. Never enable withdrawals — trading doesn't need it
  2. Use IP whitelisting — restrict to your server's IP
  3. Never commit .env files — add .env to .gitignore
  4. Rotate keys periodically — every 90 days recommended
  5. Use separate keys for testing — don't mix testnet/mainnet

Comments

Loading comments...