ClawHub
Skill flagged — suspicious patterns detected

ClawHub Security flagged this skill as suspicious. Review the scan results before using.

AlphaStrike

v1.0.0

Generates rule-based LONG or SHORT trading signals for BTC, ETH, and SOL perpetuals using RSI, MACD, EMA crossover, Bollinger Bands, and volume ratio indicat...

0· 15·0 current·0 all-time
by@bowen31337
Security Scan
Capability signals
CryptoRequires walletRequires sensitive credentials
These labels describe what authority the skill may exercise. They are separate from suspicious or malicious moderation verdicts.
VirusTotalVirusTotal
Suspicious
View report →
OpenClawOpenClaw
Suspicious
medium confidence
Purpose & Capability
Name/description align with included Python code: the scripts compute RSI/MACD/EMA/Bollinger indicators from Hyperliquid data and produce signals, and execute.py can simulate (and is structured to place) trades. However SKILL.md/README repeatedly reference scripts/signal.py and folders (workflows/, data/) that are not present in the manifest; the actual signal script files are named scripts/alphastrike_signal.py and scripts/_signal_old.py. This discrepancy will cause runtime errors and indicates sloppy packaging.
!
Instruction Scope
Runtime instructions ask the agent to run scripts in ~/.openclaw/workspace/skills/alphastrike and to run scripts/signal.py (nonexistent). The SKILL.md front-matter sets metadata.openclaw.always: true (forcing always-inclusion) even though registry flags show always:false — the skill's own instructions therefore attempt to elevate persistence. The code itself calls out to Hyperliquid endpoints (api.hyperliquid.xyz) which is consistent with purpose; it does not attempt to read unrelated host files or environment secrets. Missing referenced files/folders and contradictory metadata are scope/behavior concerns.
Install Mechanism
There is no install spec (instruction-only), so nothing will be automatically downloaded or run at install time. The only code present is plain Python source included in the skill bundle — no external install URLs or archive extraction were specified.
Credentials
The skill declares no required environment variables or credentials. The execution code accepts an optional api_key parameter but does not read or require host secrets. There are no config paths requested that would expose unrelated credentials. This is proportionate for a signal generator and simulated executor.
!
Persistence & Privilege
The SKILL.md contains metadata.openclaw.always: true (with justification text), which would force the skill to be included in every agent run. Registry-level flags show always:false, so there is a direct conflict between manifest and runtime instructions. If the platform honors the SKILL.md field this is a meaningful privilege escalation (skill always loaded). Combined with autonomous invocation being allowed by default, always:true would increase the blast radius if the skill later changes behavior.
What to consider before installing
This skill appears to do what it says (generate trading signals and simulate trade execution), but there are a few red flags you should address before installing: (1) SKILL.md/README reference scripts/signal.py and folders that are not present — confirm which script is authoritative and fix filenames to avoid runtime errors. (2) The SKILL.md front-matter sets always:true, conflicting with registry metadata; ask the author why the skill should be force-included in every agent run and remove always:true unless absolutely needed. (3) The code calls Hyperliquid API endpoints (api.hyperliquid.xyz) — expected for this purpose, but review network access policies if you restrict outbound connections. (4) Because packaging is sloppy (missing files, name mismatches), run the skill in a sandbox or with dry-run mode first, inspect/execute the included Python locally, and only grant persistent inclusion after the author resolves the metadata conflict. If you want help drafting questions to the author or testing the scripts in a safe environment, say so.

Like a lobster shell, security has layers — review code before you run it.

latestvk977rkybcen1t2k84wkh4a0e3x854web
15downloads
0stars
1versions
Updated 7h ago
v1.0.0
MIT-0
@bowen31337
latest
Download

AlphaStrike v2

Rule-based trading signal generator for BTC, ETH, SOL on Hyperliquid perpetuals.

Indicators

IndicatorParametersSignal
RSI14 period>70 overbought, <30 oversold
MACDstandardtrend + momentum
EMA Crossover9/21short-term trend
Bollinger Bands20, 2σvolatility breakout
Volume Ratio>1.5x = strong confirmation

Quick Start

cd ~/.openclaw/workspace/skills/alphastrike

# Generate signal for one symbol
uv run python scripts/signal.py --symbol BTC

# Run full scan (BTC/ETH/SOL)
uv run python scripts/signal.py --all

# Execute workflow
uv run python execute.py

Output Format

{
  "symbol": "BTC",
  "signal": "LONG",
  "confidence": 0.78,
  "indicators": { "rsi": 28, "macd": "bullish", "ema_cross": "golden" },
  "reasoning": "RSI oversold + MACD bullish cross + volume confirmation"
}

Files

  • scripts/signal.py — signal generator
  • execute.py — workflow runner
  • workflows/ — workflow definitions
  • data/ — historical data cache

Comments

Loading comments...