ClawHub
Skill flagged — suspicious patterns detected

ClawHub Security flagged this skill as suspicious. Review the scan results before using.

Crypto Executor

v2.3.4

Complete autonomous trading engine for Binance with WebSocket real-time, OCO orders, Kelly Criterion position sizing, trailing stops, circuit breakers, daily...

0· 480·1 current·1 all-time
byWesley Armando@georges91560
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
VirusTotalVirusTotal
Suspicious
View report →
OpenClawOpenClaw
Benign
medium confidence
Purpose & Capability
Name/description (autonomous Binance trading) match the requested artifacts: python3, BINANCE_API_KEY and BINANCE_API_SECRET, optional Telegram tokens, and a sizeable executor.py. External subprocess oracle is optional and documented. Nothing requested appears unrelated to trading.
Instruction Scope
SKILL.md instructs cloning the GitHub repo, installing websocket-client, creating /workspace directories, sourcing /etc/crypto-executor/credentials.env, and running executor.py. It explicitly documents files the bot writes (portfolio_state.json, learned_config.json, etc.). It also calls an optional external script via subprocess; the README/SKILL.md warns to audit that code. No instructions were found that read unrelated system secrets or exfiltrate to unexpected endpoints, but the skill does write persistent files and will run network calls to Binance and optionally Telegram.
Install Mechanism
This is instruction-only (no packaged installer). The recommended install actions are git clone + pip install websocket-client. The SKILL.md suggests using pip with --break-system-packages on shared hosts which can modify system packages and is risky; the doc also recommends using a virtualenv on VPS (safer). The external dependency is a GitHub repo cloned at runtime (optional) — acceptable but requires auditing.
Credentials
Only BINANCE_API_KEY and BINANCE_API_SECRET are required (primary credential declared). TELEGRAM_* vars are optional and justified for alerts. Optional risk-limit env vars are relevant configuration, not extraneous secrets. No unrelated credentials or broad system tokens are requested.
Persistence & Privilege
always:false (no forced inclusion). The skill persists state under /workspace and provides systemd service instructions to run continuously; that is expected for a trading bot. The service guidance suggests placing credentials in /etc/crypto-executor with chmod 600 — a reasonable recommendation. The combination of autonomous execution + real-money trading is high-impact, so users should be careful about keys and service configuration.
Assessment
This skill appears to be what it says (a Binance trading bot) but it operates on real money — review these points before installing: - Audit and pin code: review executor.py and any external repo (crypto-sniper-oracle) and install a specific commit/tag rather than cloning HEAD. - Credentials: create a Binance API key with only the permissions you need (Spot Trading only). Ensure Withdrawals and unnecessary permissions are disabled and prefer IP whitelisting. Treat the API secret as highly sensitive. - Test first: run on Binance testnet or with a very small allocation before trusting live funds. - Avoid --break-system-packages: prefer a virtualenv (python3 -m venv ...) instead of pip install --break-system-packages to avoid altering system packages. - External subprocesses: the oracle is executed as a subprocess — audit it for unexpected network calls or file writes before enabling. - Persistence: the bot writes learned_config.json and performance_metrics.json; back these up if you care about continuity and be aware reinstalling can overwrite them. - Systemd/service: follow least-privilege practices (run as a non-root user, keep credentials file protected) and monitor logs closely. If you want a safer install, request a short checklist of concrete audit points (specific files/lines to inspect) and/or ask for a diff of any changes made by installation steps.

Like a lobster shell, security has layers — review code before you run it.

arbitragevk9722dzetp1enwkx31ymkkzfg181yt86automationvk9722dzetp1enwkx31ymkkzfg181yt86binancevk9722dzetp1enwkx31ymkkzfg181yt86botvk9722dzetp1enwkx31ymkkzfg181yt86cryptovk9722dzetp1enwkx31ymkkzfg181yt86latestvk974ck9c912wx1d1yy8x28410x8236qnquantitativevk9722dzetp1enwkx31ymkkzfg181yt86tradingvk9722dzetp1enwkx31ymkkzfg181yt86websocketvk9722dzetp1enwkx31ymkkzfg181yt86

License

MIT-0
Free to use, modify, and redistribute. No attribution required.
Termshttps://spdx.org/licenses/MIT-0.html

Runtime requirements

Clawdis
Binspython3
EnvBINANCE_API_KEY, BINANCE_API_SECRET
Primary envBINANCE_API_KEY

Comments