Back to skill
Skillv1.2.0
ClawScan security
Phemex Trade · ClawHub's context-aware review of the artifact, metadata, and declared behavior.
Scanner verdict
BenignMar 16, 2026, 9:16 PM
- Verdict
- benign
- Confidence
- high
- Model
- gpt-5-mini
- Summary
- The skill is internally consistent with a Phemex trading CLI: it requires the Phemex API key/secret and a phemex-cli binary (installed via an npm package), and its instructions align with that purpose.
- Guidance
- This skill appears to do what it says: act as a wrapper around a Phemex CLI. Before installing, verify the npm package and GitHub repo (maintainer, recent commits, issues) and prefer creating exchange API keys with minimal permissions. Be aware the CLI can persist secrets to ~/.phemexrc — review that file's contents and filesystem permissions, or prefer passing credentials via environment variables at runtime. Because npm installs execute code, consider auditing the package source or installing in a restricted/isolated environment (container or VM) if you are unsure.
Review Dimensions
- Purpose & Capability
- okName/description, required binaries (phemex-cli), declared env vars (PHEMEX_API_KEY, PHEMEX_API_SECRET), and the install (npm package phemex-trade-mcp creating phemex-cli) are coherent for a Phemex trading CLI.
- Instruction Scope
- noteSKILL.md instructs using phemex-cli commands and documents that credentials may be persisted to ~/.phemexrc; this is expected for a CLI but is a useful security consideration since it writes secrets to disk.
- Install Mechanism
- noteInstall is an npm package (phemex-trade-mcp) that provides the phemex-cli binary. npm installs can run arbitrary code during installation (moderate risk). Using an npm package for a CLI is reasonable, but users should vet the package source/maintainer before global install.
- Credentials
- okOnly PHEMEX_API_KEY and PHEMEX_API_SECRET are required and are expected for trading functionality. The SKILL.md's use of ~/.phemexrc to persist credentials is consistent with the declared env usage.
- Persistence & Privilege
- okSkill is not marked always:true and does not request elevated system-wide privileges. It may store credentials in ~/.phemexrc (its own config), which is normal for a CLI but should be guarded by the user.