Trading Decision Pro

This skill's code implements a trading assistant and contains no obvious network-download/install steps, but several inconsistencies are concerning: SKILL.md promises automatic "knowledge injection" (searching local files like tasks/KNOWLEDGE.md), cross-review endpoints, and session snapshot files that are not included; index.js optionally reads TRADING_DECISION_API_KEY even though no env is declared; the SKILL.md contains external payment/contact instructions (WeChat/Telegram) which are outside the registry flow. Before installing or providing any credentials: - Ask the maintainer to explain and include the referenced files (tasks/KNOWLEDGE.md, SESSION-SNAPSHOT.md, cross-review tooling) or remove those claims. - Request that the skill metadata explicitly declare any environment variables (e.g., TRADING_DECISION_API_KEY) and document what the key is used for and where network calls go. - Inspect the remaining parts of index.js (the provided index.js was truncated) for any network calls, hidden endpoints, or data exfiltration logic. Run the bundled tests locally in a sandboxed environment to see behavior. - Do not provide secrets (API keys, exchange credentials, AWS keys) to the skill until provenance (author/repo) is verified and the env requirements are explicit. - Be cautious about following payment/contact instructions embedded in SKILL.md; prefer official support channels (registry/maintainer contact) rather than ad-hoc WeChat/Telegram payment flows. These issues could be innocent sloppy packaging/documentation, but they create risk — treat the package as untrusted until the maintainer resolves the inconsistencies and proves the code's provenance.

These patterns may indicate risky behavior. Check the VirusTotal and OpenClaw results above for context-aware analysis before installing.