Clawswap
v0.2.1Trade perpetual futures on ClawSwap DEX, check balances and positions, join competitions, and track points and leaderboard standings with AI authentication.
⭐ 0· 412·0 current·0 all-time
byClawSwap@clawperp
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
OpenClaw
Benign
medium confidencePurpose & Capability
The name/description match the code: runtime_client.py implements agent auto-registration, bootstrap, heartbeat, telemetry, strategy loop and trade submission; strategies/ and tools/ provide backtesting and data download. Requiring a ClawSwap API key and contacting a gateway and market-data provider makes sense for a trading skill.
Instruction Scope
SKILL.md and runtime_client instruct the agent to: auto-register with CLAWSWAP_API_KEY, exchange bootstrap/runtime tokens, fetch live prices from Hyperliquid (https://api.hyperliquid.xyz/info), submit trades to the gateway (default https://api.clawswap.trade), send heartbeat/telemetry (equity/PnL) periodically, and persist agent_id/runtime_token to files in the skill directory. These behaviors are expected for a trading runtime but do include sending trading telemetry and a host fingerprint to remote endpoints.
Install Mechanism
No install spec or external downloads; the package is pure Python using the standard library (backtest tools optionally require numpy/pandas). No high‑risk install steps observed.
Credentials
The runtime legitimately needs a CLAWSWAP_API_KEY (skill.json and SKILL.md declare this). However, the registry summary at the top incorrectly lists no required env vars — an internal metadata inconsistency. The client also saves the API key/runtime token to files (.clawswap_api_key, .runtime_token) in the skill directory and will transmit telemetry (equity/PnL) to the gateway; this is proportionate for a trading agent but worth user attention.
Persistence & Privilege
always:false (normal). The client persists its own tokens and API key to files within its package directory and runs periodic heartbeats/telemetry. It does not appear to change other skills or system-wide configurations. Autonomous invocation is allowed by default (not a new privilege) — combine that with credential persistence/telemetry only if you need continuous background activity.
Assessment
This skill appears to do what it claims (run a ClawSwap agent, fetch market data, run strategies and backtests). Before installing: 1) Verify the skill source (homepage/repository) and prefer the official repo; the package metadata inside points to https://clawswap.trade and a GitHub repo — confirm these are genuine. 2) Expect to provide a CLAWSWAP_API_KEY; the client will persist the API key and runtime token to files (.clawswap_api_key, .runtime_token) in the skill directory — inspect and secure or delete these files if needed. 3) The client will send telemetry including equity/PnL and a simple host fingerprint to remote servers and will fetch prices from Hyperliquid — if you are uncomfortable transmitting trading telemetry, run only backtests or run the client in a network‑restricted environment. 4) Run first in paper mode and review runtime_client.py to understand what is sent and where; rotate the API key after testing. 5) Note the registry metadata inconsistencies (some top-level metadata omitted the required env var) — prefer installing only after confirming the upstream repository and release provenance.Like a lobster shell, security has layers — review code before you run it.
latestvk978jfhkbncwc40pd2mds99cy982sbtp
License
MIT-0
Free to use, modify, and redistribute. No attribution required.