Funding Rate Trader
PassAudited by VirusTotal on May 11, 2026.
Overview
Type: OpenClaw Skill Name: funding-rate-trader Version: 1.0.1 The skill bundle is classified as benign. All files, including `SKILL.md`, align with the stated purpose of an automated crypto funding rate arbitrage strategy. The `SKILL.md` does not contain any prompt injection attempts. The JavaScript files (`scan.js`, `trader.js`, `monitor.js`) access Binance API keys from the expected `~/.openclaw/secrets/binance.json` path and use them solely for legitimate interactions with the Binance API via the `ccxt` library (e.g., fetching market data, checking balance, placing trades). There is no evidence of data exfiltration, malicious execution, persistence mechanisms, or obfuscation. The financial risks associated with high-leverage trading are explicitly mentioned in the documentation, but this is not a security vulnerability.
Findings (0)
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
A user or agent could open a real leveraged crypto position, potentially causing rapid financial loss or liquidation.
Running the trader can use up to 90% of available USDT, set 20x leverage, and place a real Binance Futures market order without an explicit confirmation or dry-run default.
const size = Math.min(available * 0.9, 100); await exchange.setLeverage(CONFIG.LEVERAGE, best.symbol + '/USDT:USDT'); ... await exchange.createOrder(best.symbol + '/USDT:USDT', 'market', 'buy', qty, null, { positionSide: 'LONG' });Default to scan-only or testnet/dry-run mode, require explicit human confirmation before every order, set conservative position caps, and clearly show the exact order before submission.
If the provided Binance key has broad permissions, the skill can exercise significant account authority for futures trading.
The skill reads a persistent local Binance API key and secret for futures trading. This is purpose-aligned, but the artifacts do not clearly bound required key permissions, and the registry metadata declares no primary credential.
const keyPath = process.env.HOME + '/.openclaw/secrets/binance.json'; ... apiKey: keys.apiKey, secret: keys.secret, options: { defaultType: 'future' }Declare the Binance credential requirement in metadata and documentation, recommend a restricted API key with withdrawals disabled, use IP restrictions where possible, and document the exact permissions needed.
Users may underestimate the chance of losses and allow automated leveraged trades based on unrealistic expectations.
The documentation advertises very high expected annual returns. Although it includes a risk warning, these claims could make users over-trust a high-leverage, non-guaranteed trading strategy.
| $100 | $5-15 | 1800-5400% | ... | $1000 | $50-150 | 1800-5400% |
Remove or heavily qualify return projections, explain liquidation/slippage/fees and directional exposure, and avoid presenting the strategy as low-risk arbitrage.
The skill may fail to run or require users to install an unspecified dependency, which matters more because the dependency handles trading API calls.
The runtime depends on the external ccxt package, but no install spec, package manifest, or pinned dependency version is provided. This is expected for Binance trading but under-specified.
const ccxt = require('ccxt');Provide a package.json and lockfile or a clear pinned installation step for ccxt, and document the expected Node.js runtime.