KTrendz Lightstick Trading
v1.2.1Trade K-pop artist lightstick tokens using bonding curve prices, real-time signals, and news to buy or sell with a $100 daily limit and fee structure.
⭐ 1· 2k·0 current·2 all-time
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
OpenClaw
Suspicious
medium confidencePurpose & Capability
The skill's claimed purpose (trade K-Trendz tokens) aligns with the included scripts which call https://k-trendz.com/api/bot for price, buy, and sell. However the registry metadata lists no required env vars or primary credential while the SKILL.md and scripts clearly require a KTRENDZ_API_KEY and write a config at $HOME/.config/ktrendz/config.json. That mismatch (required credential and config path not declared in metadata) is an incoherence.
Instruction Scope
The SKILL.md instructions and scripts confine activity to: collecting/storing an API key, calling the documented API endpoints (/token-price, /buy, /sell), and showing results. They do not attempt to read unrelated system files or exfiltrate arbitrary data beyond using the API key to contact the K-Trendz API. The setup script stores the API key in a local JSON file (chmod 600).
Install Mechanism
There is no install spec (instruction-only install), so nothing is downloaded or installed by an automated installer. Risk is limited to the included shell scripts which are runnable — review before executing, but no high-risk download/install behavior was found.
Credentials
The skill requires a service credential (KTRENDZ_API_KEY) and writes that key to $HOME/.config/ktrendz/config.json, which is appropriate for the described API usage — but the registry metadata did not declare any required env vars or a primary credential. That omission reduces transparency and is disproportionate to the declared registry fields. The number and type of env access (single API key) is otherwise reasonable.
Persistence & Privilege
The skill does not request elevated privileges, does not set always:true, and only persists a config file under the installing user's home directory with restrictive permissions (chmod 600). Autonomous invocation is allowed (default) but is not combined with other high-risk behaviors.
What to consider before installing
What to consider before installing/use:
- Provenance: the registry entry has no description/homepage and the source is 'unknown'. Verify the publisher and the repository at https://github.com/ktrendz/lightstick-trading-skill (package.json points there) before trusting it.
- Credential handling: the scripts require KTRENDZ_API_KEY (not declared in registry metadata). The setup script will store your API key in plaintext JSON at $HOME/.config/ktrendz/config.json (permissions set to 600). Only provide an API key you trust the upstream service with — do not reuse a sensitive key until you confirm legitimacy.
- Network calls: the scripts make POST requests to https://k-trendz.com/api/bot. If you run them, they will communicate with that external service; confirm the domain and its TLS certificate and API behavior.
- Review and sandbox: the scripts are short and readable; inspect them (they only call curl/python) and run first in an isolated environment (container or throwaway account) and with a test API key. If you are not comfortable, decline to provide real credentials.
- Metadata mismatch: ask the publisher to update registry metadata to declare KTRENDZ_API_KEY and the config path; absence of that disclosure is a transparency concern.
If you proceed: verify the upstream GitHub repo and publisher identity, use a limited/test API key, and run the scripts in a sandboxed environment.Like a lobster shell, security has layers — review code before you run it.
latestvk9708vbd6xd4fqjzd9hssyt0cd80jerm
License
MIT-0
Free to use, modify, and redistribute. No attribution required.