Phemex Trade
WarnAudited by ClawScan on May 10, 2026.
Overview
This is a plausible Phemex trading integration, but it can make real trades and transfers with your exchange API secret and relies on an external npm CLI that was not reviewed here.
Only install this if you are comfortable giving an external CLI access to your Phemex account. Use a restricted API key, verify the npm package and source, pin the version, and require manual confirmation before any order, leverage change, cancellation, or fund transfer.
Findings (3)
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
If invoked incorrectly, the agent could place unwanted trades, change leverage, cancel orders, or move funds between Phemex wallets, potentially causing financial loss.
These are high-impact financial actions. The provided artifacts do not show explicit human confirmation, limits, or safety checks before non-read-only trading operations.
place, amend, or cancel orders ... set leverage or switch position modes ... transfer funds between spot and futures wallets
Require explicit user confirmation for every non-read-only action with the exact symbol, side, quantity, price, leverage, and transfer direction; prefer testnet or read-only mode unless intentionally trading.
A broad or poorly protected API key could let the tool trade or access account information with the user's exchange privileges.
The CLI uses Phemex API credentials and may persist them locally, giving the tool delegated account authority for the exchange.
Credentials are loaded from environment variables or `~/.phemexrc`
Use a dedicated least-privilege Phemex API key, disable withdrawals if possible, restrict by IP where supported, avoid unnecessary write permissions, protect ~/.phemexrc, and rotate the key if exposed.
Installing or updating the package could run code that has access to your API credentials and trading authority, and the reviewed artifacts do not let us verify what that code does.
The setup points to a globally installed, unpinned npm package for a CLI that handles exchange credentials and trading operations; no package implementation code is included in the supplied artifacts.
npm install -g phemex-trade-mcp@latest
Pin and verify the package version, review the package source and npm provenance before use, install in an isolated environment, and avoid automatic updates for credential-handling trading tools.