Skill flagged — suspicious patterns detected
ClawHub Security flagged this skill as suspicious. Review the scan results before using.
Autonomous Trading System
v1.0.1全自动智能交易系统 - 无人值守、自我进化、稳定盈利。包含风险控制、市场状态识别、动态止损、仓位管理等核心功能。
⭐ 0· 100·0 current·0 all-time
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
OpenClaw
Suspicious
medium confidencePurpose & Capability
The SKILL.md describes a Node-based trading bot and shows commands like `node auto-trading-bot.js start` and references exchange usage, which logically require a node binary and exchange API credentials. However the top-level Requirements block lists no binaries or env vars, while _meta.json does list 'node' and 'BINANCE_API_KEY'/'BINANCE_API_SECRET'. This mismatch between declared requirements and actual instructions is inconsistent.
Instruction Scope
Runtime instructions direct the agent/user to run local Node scripts (start, positions, optimize, report) and include a config example, but none of the referenced JS files are present in the package. The SKILL.md does not instruct reading unrelated system files or exfiltrating data, but it does ask users to contact authors via private messaging for paid services (social-engineering risk). The lack of included code makes the instructions non-executable and potentially a prompt to fetch code from elsewhere.
Install Mechanism
There is no install spec (instruction-only), which is low risk by itself. However the skill advertises and documents JS files (auto-trading-bot.js, risk-manager.js, etc.) that are not bundled — without an install mechanism or packaged code, it's unclear how those files would appear, which is an operational/integrity concern (could indicate missing files or expectation of external downloads).
Credentials
_meta.json declares BINANCE_API_KEY and BINANCE_API_SECRET (reasonable for a trading bot), but the package's visible requirements block earlier shows no required env vars. The skill asks for sensitive exchange credentials implicitly but does not consistently declare them. Requesting exchange API keys is proportional for a trading bot, but the inconsistency and absence of guidance about least-privilege (e.g., 'withdrawals disabled' API key) is concerning.
Persistence & Privilege
The skill does not request always:true and does not declare system-wide config modifications. There are no special persistence or privilege requests in the package metadata.
What to consider before installing
Do not install or run this skill as-is. Key issues: (1) The SKILL.md expects Node scripts that are not included in the package, so the skill is non-functional or relies on fetching code from elsewhere — ask the publisher for the actual source files and a clear install procedure. (2) The metadata inconsistently lists required environment variables (BINANCE API keys) while other parts show none; if you supply exchange API keys only provide restricted keys (disable withdrawals) and use least privilege. (3) Verify the author's identity and hosting/source (GitHub, release tarball) and review the actual code before giving any credentials or funds. Recommended next steps: request a full source bundle or a link to a trusted repository, confirm a documented install method, insist on explicit guidance for API key scopes, run the code in an isolated environment and test with minimal funds or paper trading. If the author asks you to send credentials via private messaging (WeChat/Telegram) or to run code fetched from ad-hoc URLs, treat that as high risk.Like a lobster shell, security has layers — review code before you run it.
latestvk9727nyb4052wh9w9rw00zvfjd83g5c5
License
MIT-0
Free to use, modify, and redistribute. No attribution required.
Runtime requirements
🤖 Clawdis