v1.0.3

Freqtrade Tools

ReviewClawScan verdict for this skill. Analyzed May 1, 2026, 7:52 AM.

Analysis

This is a coherent Freqtrade shortcut skill, but it can control a cryptocurrency trading bot and includes a Windows batch example with unsafe unvalidated input handling.

GuidanceReview the aliases before installing. Only run bot-control commands after confirming whether Freqtrade is connected to live trading, and avoid or harden the Windows batch examples unless they validate inputs strictly.

Findings (3)

Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.

Abnormal behavior control

Checks for instructions or behavior that redirect the agent, misuse tools, execute unexpected code, cascade across systems, exploit user trust, or continue outside the intended task.

Tool Misuse and Exploitation

SeverityMediumConfidenceHighStatusConcern

SKILL.md

description: "... Freqtrade (cryptocurrency trading bot) ... controlling the bot." ... `ftstart` | Start docker-compose services ... `ftrestart` | Restart docker-compose services

The skill explicitly provides shortcuts to start and restart services for a cryptocurrency trading bot. This is purpose-aligned, but the artifacts do not add confirmation, dry-run checks, or live-trading warnings before high-impact bot-control actions.

User impactIf invoked against a live Freqtrade setup, these shortcuts could start automated trading or interrupt running trading services.

RecommendationRequire explicit user approval before running ftstart, ftstop, or ftrestart, and verify whether the bot is in dry-run or live-trading mode before using these shortcuts.

Unexpected Code Execution

SeverityMediumConfidenceMediumStatusConcern

references/windows-equivalents.md

set DAYS=%~2 ... for /f %%A in ('powershell -Command "(Get-Date).AddDays(-!DAYS!).ToString('yyyyMMdd')"') do (

The batch example takes the Days argument from raw command-line input and embeds it in a PowerShell command string without enforcing numeric validation in the script.

User impactIf the batch file is copied and later called with malformed or untrusted arguments, local command execution behavior could be altered unexpectedly.

RecommendationPrefer the PowerShell functions with typed parameters, or add strict numeric validation and safer parameter passing to the batch files before using them.

Rogue Agents

SeverityLowConfidenceHighStatusNote

SKILL.md

Copy functions from `references/bash-zsh-aliases.md` into `~/.bashrc` ... or `~/.zshrc` ... PowerShell: Copy functions ... into your `$PROFILE` file.

The installation instructions intentionally persist these helper functions in shell startup/profile files.

User impactThe shortcuts will remain available in future shell sessions until the profile entries are removed.

RecommendationInstall only the functions you need and remove the copied profile entries if you later decide not to use the skill.