01-exchange-skill(not official)
PassAudited by ClawScan on May 10, 2026.
Overview
This is a coherent 01.xyz trading-development guide, but it covers real-fund trading, local wallet signing, and external package installs, so users should keep trading actions manual and verified.
Before installing or using this skill, verify the 01.xyz/N1 packages and endpoints from official sources, start with read-only monitoring and devnet, keep the local signing API private to your machine, and require explicit confirmation for every order, deposit, withdrawal, or position-closing action.
Findings (4)
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
If copied or executed carelessly, these examples could change positions or move collateral on a real trading account.
The skill documents API/SDK calls that can place orders, close positions, deposit, and withdraw funds. These are high-impact financial actions, but they are consistent with the stated trading-development purpose and are accompanied elsewhere by approval and testnet guidance.
await nord.placeOrder({ ... }); ... await nord.closeAllPositions(); ... await nord.deposit({ token: 'USDC', amount: 10000.00 }); ... await nord.withdraw({ token: 'USDC', amount: 5000.00 });Use devnet first, require explicit per-action confirmation, set small limits, and never let an agent execute trading or withdrawal calls unattended.
A misconfigured or exposed local API could allow unintended signed trading actions.
Trading requires a locally configured API that signs transactions using the user's wallet setup. This is disclosed and central to the exchange integration, but it is privileged access.
Trading Setup (Requires Local API) ... nord-local-api config ... Start local API ... Local API (signs transactions)
Keep the local API bound to localhost, protect the wallet, use a dedicated low-balance trading wallet, and verify every signed transaction.
Installing the wrong or compromised package could run untrusted code on the user's machine.
The documentation asks users to install external npm packages, including a global CLI/local API package, without pinned versions. This is expected for SDK integration but should be verified.
npm install @n1xyz/nord-ts @solana/web3.js ... npm install -g @n1xyz/local-api
Verify package names against official 01.xyz/N1 documentation, prefer pinned versions, and review package provenance before installing.
A user might over-trust the safety wording and allow broader agent access than intended.
The skill gives strong safety assurances while also documenting trading through a local signing API. The guidance is safety-oriented, but users should treat these as required procedures rather than technical enforcement.
AI cannot spend funds — Impossible without your keys ... Place orders without confirmation — Safety guardrails prevent this ... Every trading action requires explicit human confirmation
Confirm that your agent/tooling actually enforces approval prompts and does not have unattended access to the local API or wallet.