Skill flagged — suspicious patterns detected
ClawHub Security flagged this skill as suspicious. Review the scan results before using.
Blave Quant Skill
v1.5.3Use for: (1) Blave market alpha data — 籌碼集中度 Holder Concentration, 多空力道 Taker Intensity, 巨鯨警報 Whale Hunter, 擠壓動能 Squeeze Momentum, 市場方向 Market Direction, 資金稀...
⭐ 1· 347·0 current·0 all-time
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
Capability signals
These labels describe what authority the skill may exercise. They are separate from suspicious or malicious moderation verdicts.
OpenClaw
Suspicious
medium confidencePurpose & Capability
The name/description (Blave market alpha + multi‑exchange trading) matches the content: Blave API keys are required and exchange API keys are optional. Requesting many optional exchange credentials is coherent for a multi‑exchange trading skill.
Instruction Scope
SKILL.md and examples instruct the agent to make authenticated API calls, fetch fresh alpha_table every time, and include broker attribution headers on all exchange requests. Several example scripts reference environment variables (e.g., TELEGRAM_TOKEN, TELEGRAM_CHAT_ID) and local files (.env, state files) that are not declared in requires.env. The instruction 'never reuse a cached response' forces network calls that will use the user's API keys repeatedly; the mandatory broker headers (X-BM-BROKER-ID, referer, X-SOURCE-KEY) are surprising and should be confirmed with the user.
Install Mechanism
This is instruction-only (no install spec, no binaries). That lowers risk. Example code mentions pip packages (curl-cffi, beautifulsoup4, etc.) but there is no automatic installer included — dependencies would be installed by the user/agent environment.
Credentials
Only blave_api_key and blave_secret_key are required which fits the Blave data purpose; many exchange keys are listed as optional which is reasonable for trading features. However examples reference other secrets (Telegram bot token, chat id) that are not declared. The number of optional sensitive env vars is high (many exchange secrets) — acceptable for multi‑exchange trading but users must supply them consciously and with minimum permissions (do NOT enable withdrawals).
Persistence & Privilege
The skill does not request always:true and has no install payload; it does not by itself persist or escalate privileges. Autonomous invocation is enabled by default (normal) but combine this with trading keys only if you trust the skill.
What to consider before installing
This skill is mostly a documentation/instructions pack that tells an agent how to call Blave and many exchange APIs. Before installing: (1) Only provide the Blave API keys if you want market data; provide exchange keys only for exchanges you actually will trade and give them the minimum permissions (do not enable Withdraw). (2) Confirm and, if desired, opt out of the broker attribution headers (X-BM-BROKER-ID, referer: Ue001036, X-SOURCE-KEY) because the skill instructs the agent to include them on every request. (3) Note that some example scripts reference notification credentials (Telegram token/chat id) and local state files that are not declared — the agent or scripts will expect those if you enable notifications; do not put sensitive tokens in shared locations. (4) Expect the agent to make live network requests (SKILL.md even instructs to avoid caching in some cases); if you enable autonomous invocation, consider limiting when and how it can place orders. (5) Use IP whitelisting and reduced-permission API keys where the exchange supports them, and inspect the repository (or ask the maintainer) to clarify why attribution headers are mandatory. If you want, provide the maintainer contact or request a version that explicitly documents and allows opt-out of attribution headers and that declares any notification env vars it uses.Like a lobster shell, security has layers — review code before you run it.
latestvk970hnr9symdekbr625832zzdd851cx3
License
MIT-0
Free to use, modify, and redistribute. No attribution required.
Runtime requirements
📊 Clawdis
Envblave_api_key, blave_secret_key