ℹ
Purpose & Capability
Name/description align with the code: scripts fetch Fear & Greed and Binance prices and implement DCA/backtest/rebalance logic. However the executor advertises a 'live' mode that 'requires API keys' yet the code contains no exchange-ordering logic nor any credential handling—it only records state locally. That mismatch between claimed capability (live trading) and actual implementation is unexpected.
!
Instruction Scope
SKILL.md tells users to run the backtest, signals, and executor (including --live). The scripts perform network calls to third-party endpoints (api.alternative.me and api.binance.com) which is expected. Concerns: backtest explicitly writes results to an absolute path (/home/bowen/...), which can overwrite or fail depending on the environment; executor --live will update local state (and stop treating runs as dry-run) without requiring or verifying real exchange API keys, which could mislead a user into thinking trades will be executed when they are only being recorded locally.
✓
Install Mechanism
No install spec; code is included in the bundle and requires only Python and requests. No external archives or arbitrary downloads are performed by an installer. This is the lower-risk install model, though running the scripts will perform network I/O at runtime.
!
Credentials
The skill declares no required environment variables or credentials, but the executor mentions 'live (requires API keys)'. There is no code to read API keys or other secrets, which is inconsistent: a legitimate live-execution skill would request and use exchange API keys. Right now there is no credential exfiltration, but the mismatch is misleading and could cause a user to later paste keys into an ad-hoc location or modify the code insecurely.
ℹ
Persistence & Privilege
always:false (normal). The skill writes persistent state to data/executor_state.json (relative) and the backtest writes to a hard-coded absolute path in /home/bowen/..., which is poor hygiene. It does not alter other skills or system configurations. Autonomous invocation is allowed by default (not flagged here), but combined with the 'live' mislabeling and state writes, users should be careful about unattended runs.
What to consider before installing
This skill generally does what it says (fetches Fear & Greed and Binance prices, backtests, and records DCA buys), but it contains a few red flags you should consider before installing or running it:
- 'Live' mode is misleading: executor.py prints that live requires API keys, but there is no code to place orders on an exchange or to read/store API keys. If you expect automatic trading, this skill will not perform real exchange orders as-is. Do not assume funds will be moved — the script only updates local state.
- Hard-coded absolute path in backtest.py: it writes results to /home/bowen/..., which may fail or overwrite files on your system. Expect to edit that path before running or run in an isolated environment.
- No declared credential handling: if you modify this to integrate real execution, you must add secure credential handling (do NOT paste API keys into the script or commit them).
- Network I/O: the scripts call external services (api.alternative.me and api.binance.com). That is expected, but be aware of network traffic and possible rate limits.
- Source trustworthiness: no homepage and unknown source. Prefer to run only after reviewing and/or auditing the code, run in --dry-run or --paper mode first, and execute in an isolated environment (container or sandbox). If you plan to enable actual trading, implement vetted exchange integration, secrets management, and thorough testing before connecting real funds.
