Crypto Executor
SuspiciousAudited by ClawScan on May 10, 2026.
Overview
This is a disclosed Binance trading bot, but it asks for real-money trading keys and can run persistently and autonomously, so it needs careful review before use.
Install only if you intentionally want an autonomous bot to trade real Binance funds. Use a dedicated spot-only API key with withdrawals disabled and IP whitelisting, start with paper trading or a very small balance, pin and audit all GitHub dependencies, avoid enabling systemd until tested, and protect local state files and Telegram credentials.
Findings (7)
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
The bot can place trades and OCO sell orders using the user's Binance account, which can cause financial loss without per-trade human approval.
The code sends signed Binance order-creation requests, which means the skill can mutate a real trading account, not just read market data.
result = self._request('POST', '/api/v3/order/oco', params=params, signed=True)Use only a dedicated, spot-only Binance API key with withdrawals disabled, IP whitelisting, a small isolated balance, and manual testing before enabling autonomous trading.
An external or modified helper script could potentially access the same trading credentials used by the bot.
The bot loads Binance credentials into its environment and runs an external Python helper as a subprocess; no environment isolation is shown in the documented call.
source /etc/crypto-executor/credentials.env ... executor.py reads these via os.getenv() ... result = subprocess.run([sys.executable, str(self.oracle_script), "--symbol", symbol], capture_output=True, text=True, timeout=10)
Run external helpers with a scrubbed environment, audit and pin the dependency, and keep Binance keys restricted to the minimum required permissions.
A changed or compromised dependency could influence trading signals or execute code in the bot's runtime environment.
The setup pulls an external GitHub dependency and installs it into the runtime path; the docs warn it must be audited, but the default command does not pin a commit.
git clone https://github.com/georges91560/crypto-sniper-oracle.git ... # AUDIT THE CODE (IMPORTANT!) ... cp -r crypto-sniper-oracle/* /workspace/skills/crypto-sniper-oracle/
Pin exact commits or releases, verify checksums where possible, review the helper code before use, and avoid executing unreviewed remote HEAD code.
If enabled, the bot may resume trading after a reboot or crash even when the user is not actively watching it.
The documented systemd setup can keep the autonomous trading bot running and restarting in the background.
✅ Auto-starts when server boots ... ✅ Auto-restarts if bot crashes ... ✅ Runs in background (no SSH needed) ... ExecStart=/usr/bin/python3 /workspace/skills/crypto-executor/executor.py
Only enable the service after dry runs and small-balance tests; document how to stop and disable it, and monitor logs and balances regularly.
Users may trust the bot more than warranted and risk real funds based on optimistic or non-guaranteed performance claims.
The documentation presents aggressive return expectations and a strong maximum-loss claim that may overstate the reliability of automated risk controls.
Monthly: ROI: 20-40% ... Maximum possible loss: 10% (then bot stops)
Treat all performance and loss-limit statements as non-guaranteed; test with paper trading or very small capital and set independent exchange-side protections.
These files may reveal sensitive financial activity and can influence future trading behavior if edited or corrupted.
The bot stores portfolio state, open positions, trade history, metrics, and learned strategy configuration under /workspace.
/workspace/portfolio_state.json ... /workspace/open_positions.json ... /workspace/trades_history.jsonl ... /workspace/performance_metrics.json ... cat /workspace/learned_config.json
Protect the workspace with appropriate file permissions, back up state files, and inspect learned configuration before restarting after unusual behavior.
Trade activity and portfolio information may leave the server through Telegram notifications.
The optional Telegram integration sends trade details and performance reports to an external messaging service.
Every trade execution sends: ... BUY 0.22 BTCUSDT ... Entry ... Position Size ... Daily Reports ... Sent automatically via Telegram every day.
Use Telegram only if needed, protect the bot token and chat ID, and ensure alerts go to a private chat controlled by the user.