KuCoin Trader

WarnAudited by ClawScan on May 18, 2026.

Overview

This looks like a real KuCoin trading tool, but it can place high-risk trades and transfers with stored API keys and includes an unsafe 125x futures leverage default.

Only install this if you intentionally want an agent-accessible KuCoin trading tool. Use a tightly restricted API key, disable withdrawals, avoid autonomous invocation for trades, require manual confirmation for every order or transfer, and fix the futures leverage default before using real funds.

Findings (4)

Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.

High

#ASI02: Tool Misuse and Exploitation

What this means

If the agent invokes this script with trading parameters, it can create real orders that may lose money.

Why it was flagged

The spot-trading command directly submits a live KuCoin order once invoked, with no built-in human confirmation, dry-run mode, size limit, or final review step.

Skill content

case 'trade':
                await placeOrder(client);
...
const result = await client.createOrder(orderParams);

Recommendation

Require explicit user confirmation for every order, add dry-run mode by default, and enforce user-configured maximum order sizes before enabling the skill.

High

#ASI02: Tool Misuse and Exploitation

What this means

A futures trade can be opened with extreme leverage, increasing liquidation and loss risk.

Why it was flagged

Futures orders default to 125x leverage when the user does not provide a leverage value, which is a very high-risk trading default and is not surfaced as a confirmation gate.

Skill content

leverage: leverage || '125',

Recommendation

Remove the 125x default, require an explicit leverage value, cap leverage to a safe configured maximum, and show a mandatory confirmation before submitting futures orders.

High

#ASI03: Identity and Privilege Abuse

What this means

A broadly-permissioned KuCoin API key could let the skill trade, transfer between account types, borrow/repay margin, or expose account balances through normal outputs.

Why it was flagged

The skill asks for full KuCoin API credentials that can be used by the scripts for account queries and financial mutations, while the registry metadata does not declare a primary credential or env vars.

Skill content

Save to `~/.openclaw/credentials/kucoin.json`:
{
  "apiKey": "YOUR_API_KEY",
  "secretKey": "YOUR_SECRET_KEY",
  "passphrase": "YOUR_PASSPHRASE"
}

Recommendation

Use a restricted KuCoin API key, disable withdrawals, enable IP restrictions if possible, grant only the minimum permissions needed, and consider a read-only key for balance/query use.

Low

#ASI04: Agentic Supply Chain Vulnerabilities

What this means

A referenced npm script may fail or could be supplied differently in another package copy.

Why it was flagged

package.json references scripts/report.js, but that file is not present in the provided manifest. This does not prove malicious behavior, but it is an incomplete-package/provenance issue.

Skill content

"report": "node scripts/report.js"

Recommendation

Publish a complete manifest, remove unused script entries, and verify the installed files match the reviewed artifacts.