Skill flagged — suspicious patterns detected
ClawHub Security flagged this skill as suspicious. Review the scan results before using.
Crypto Executor Optimizer
v1.0.3Autonomous optimizer skill for Wesley — reads Binance trading performance every 6 hours, analyzes win rate and strategy metrics, then safely tunes executor.p...
⭐ 0· 354·0 current·0 all-time
byWesley Armando@georges91560
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
OpenClaw
Suspicious
medium confidencePurpose & Capability
The name/description match what the files implement: analyzing performance and modifying/restarting a trading executor. Required binaries (python3, bash, systemctl) and use of cron are consistent. Minor inconsistency: registry metadata lists no required env vars, while SKILL.md/setup scripts collect and persist BINANCE_API_KEY and BINANCE_API_SECRET during setup (they are needed but not declared in registry).
Instruction Scope
The runtime instructions and scripts legitimately read performance files and executor.py and then edit it via regex and restart the service — that is within stated scope. However the skill instructs downloading external code from raw.githubusercontent.com (un-pinned 'main' branch), persists Binance credentials to /workspace/data/bot_config.env, and will source that file when restarting the bot. The apply_optimization.sh modifications use regex replacements which may be brittle and could change unintended lines if executor.py differs. The scripts also instruct pip install with --break-system-packages. These steps expand the attack/accident surface beyond a simple analyzer.
Install Mechanism
There is no formal install spec (instruction-only), but setup scripts download executor.py and an optional oracle from raw.githubusercontent.com. Raw GitHub content is a known host (lower risk than random IPs), but downloads target the 'main' branch (not pinned to a commit/tag) which is insecure. No archive extraction occurs. The scripts also call pip install --break-system-packages which can alter host Python environment on shared systems.
Credentials
The skill collects and persists BINANCE_API_KEY and BINANCE_API_SECRET (reasonable for a trading bot), and optionally Telegram tokens. However these credentials are not declared in the registry's required env list (incoherence). The credentials are stored on disk in /workspace/data/bot_config.env and sourced by fallback restart paths — storing and sourcing secrets is functional but high-impact. No unrelated third-party credentials are requested.
Persistence & Privilege
The skill does not force always:true. The SKILL.md requests sudo/systemctl to restart a system service (uses_sudo: true) and will fall back to pkill/nohup if systemd isn't available. Installing a recurring cron (via openclaw cron or system crontab) gives it periodic execution. These privileges are consistent with restarting/automating a trading bot, but combined with network downloads and credential persistence they increase potential blast radius.
What to consider before installing
This skill appears to implement the advertised optimizer, but it carries non-trivial operational risks. Before installing: 1) Audit the remotely downloaded executor.py and optional oracle code and prefer pinning to a specific commit/tag rather than downloading from 'main'. 2) Understand that the setup will persist your BINANCE_API_KEY and BINANCE_API_SECRET to /workspace/data/bot_config.env (chmod 600) — run this only in an isolated environment you control. 3) The skill requires sudo to restart a systemd service (or will pkill/launch the bot), so verify you are comfortable granting that ability on the host. 4) The scripts call pip install --break-system-packages; avoid this on shared hosts or use a virtualenv. 5) The regex-based in-place edits are brittle — review executor.py to ensure patterns match and backups work as intended. 6) Consider running this in a sandbox or dedicated VM, pin external downloads, and test manually before enabling the cron automation.Like a lobster shell, security has layers — review code before you run it.
latestvk971p3wzm3ft0bchad18n8gkmh824y2t
License
MIT-0
Free to use, modify, and redistribute. No attribution required.
Runtime requirements
🤖 Clawdis
Binspython3, bash, systemctl