Skill flagged — suspicious patterns detected
ClawHub Security flagged this skill as suspicious. Review the scan results before using.
Vibetrading
v1.0.1Build, backtest, and deploy cryptocurrency trading strategies using the vibetrading Python framework. Use when: (1) generating trading strategies from natura...
⭐ 1· 769·1 current·2 all-time
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
OpenClaw
Suspicious
medium confidencePurpose & Capability
The skill's name and prose describe building, backtesting, and deploying crypto strategies and the SKILL.md provides exactly those instructions (backtest API, live deploy, exchange credentials, AI generation). However the registry metadata shows no required env vars or homepage/source, which is inconsistent with the clear runtime need for exchange API keys and LLM API keys.
Instruction Scope
Instructions are narrowly scoped to authoring strategies, backtesting, and live deployment. They explicitly tell the agent to read strategy files, load a .env.local for credentials, call vibetrading.live.start(...) with api_key/api_secret, and optionally use ANTHROPIC_API_KEY or OPENAI_API_KEY for AI generation. The only scope issue is that these runtime behaviors require sensitive secrets and file reads but the skill metadata does not declare them.
Install Mechanism
This is an instruction-only skill with no install spec and no bundled code; SKILL.md recommends pip install vibetrading (normal for a Python library). No remote download/extract or unknown install host is specified in the skill bundle itself.
Credentials
The runtime clearly needs exchange credentials (wallet/private key or api key/secret) and LLM API keys for AI generation, yet the skill metadata lists no required env vars and no primary credential. The absence of declared env requirements plus the suggestion to store private keys in .env.local is a mismatch and increases risk — you should only provide minimal credentials, prefer scoped API keys, and verify where keys are used.
Persistence & Privilege
always:false and no install steps mean the skill does not request permanent elevated presence. It does instruct reading local files (strategy code, .env.local) and using those values at runtime, which is expected for live trading. No instructions attempt to change other skills or system-wide settings.
What to consider before installing
This skill's instructions look like a legitimate crypto trading framework, but there are two red flags you should resolve before installing or handing over secrets: (1) the registry metadata does not declare the environment variables the SKILL.md clearly needs (exchange API keys / private keys, and ANTHROPIC_API_KEY or OPENAI_API_KEY). That mismatch could be an oversight or a sign the publisher omitted sensitive requirements. (2) There is no homepage or source URL listed — you have no way to review the package source or verify the maintainer. Recommended actions: verify the vibetrading PyPI package and its source repository (look for a homepage, GitHub repo, and recent commits); prefer exchange API keys with minimal scopes or test with read-only/sandbox credentials first; never paste a long-term private key into a project you haven't audited (use ephemeral keys or hardware wallets where supported); require the publisher to add explicit required env metadata and a source link before using for live trading; and run all code in isolated sandboxes/backtests until you confirm behavior.Like a lobster shell, security has layers — review code before you run it.
latestvk97198xnfnmenh0pr9wtmp3ts582dww6
License
MIT-0
Free to use, modify, and redistribute. No attribution required.