Skill flagged — suspicious patterns detected
ClawHub Security flagged this skill as suspicious. Review the scan results before using.
Grid Trading Pro
v1.0.0Enhanced grid trading bot with auto-adjust, multi-coin support, auto-compound profits, and risk management. Passive income through automated buy-low-sell-high.
⭐ 0· 81·1 current·1 all-time
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
OpenClaw
Suspicious
high confidencePurpose & Capability
The README/description and SKILL.md advertise an automated Binance grid trader (auto-adjust, multi-coin, auto-compound) and the registry lists BINANCE_API_KEY and BINANCE_SECRET_KEY as required. The included index.js, however, contains only a local price simulator and simulated order logic and does not call any exchange APIs or reference environment variables. package.json lists ccxt as a dependency (expected for exchange integrations) but the code does not use it. This mismatch suggests the declared capability (live trading on Binance) is not implemented in the supplied code.
Instruction Scope
SKILL.md instructs users to set BINANCE_API_KEY and BINANCE_SECRET_KEY and shows example configurations containing other sensitive credentials (Telegram bot token, SMTP user/pass, Discord webhook). The runtime instructions do not tell the agent to read unrelated system files, but they do prompt the user to provide sensitive secrets that are not actually referenced by the shipped code. That discrepancy is problematic: a user following the docs would expose credentials without a code path that requires them.
Install Mechanism
There is no install spec (instruction-only install) and no external download URLs, which is lower risk. package.json declares ccxt as a dependency (a reasonable library for exchange APIs), but since index.js doesn't use network or ccxt, the dependency is unnecessary. No high-risk install behavior (remote extracts, IP URLs) is present.
Credentials
The skill requires two sensitive Binance environment variables. Requiring Binance keys would be proportionate for a real exchange bot, but the shipped code does not use them, so requesting these secrets is disproportionate and potentially abusive. SKILL.md also contains examples that would ask users to provide other credentials (webhook URLs, SMTP credentials) without declaring them as required env variables.
Persistence & Privilege
The skill is not flagged always:true, does not request system-wide config paths, and does not attempt to modify other skills or global settings in the provided files. Autonomous invocation is allowed by default (normal).
What to consider before installing
Do not provide your live Binance API keys to this skill as packaged. The code included simulates prices locally and does not use the BINANCE_API_KEY / BINANCE_SECRET_KEY, so the skill's declared need for those secrets is inconsistent and could lead to unnecessary exposure. Before installing or running: (1) ask the author to explain why keys are required and to show the production code that uses them; (2) review or run the code in a sandboxed/test environment; (3) if you must test with exchange credentials, create API keys with minimal permissions (no withdraw), IP restrictions, or use Binance testnet keys only; (4) verify that any notification/webhook/SMTP credentials you provide are intentionally used and secured; and (5) consider removing unnecessary environment variables or waiting for an updated release where implementation matches the advertised behavior.Like a lobster shell, security has layers — review code before you run it.
latestvk9740cvhmxvm9934qbcxqqqn4s83a8k6
License
MIT-0
Free to use, modify, and redistribute. No attribution required.
Runtime requirements
📊 Clawdis
EnvBINANCE_API_KEY, BINANCE_SECRET_KEY