ClawHub
Skill flagged — suspicious patterns detected

ClawHub Security flagged this skill as suspicious. Review the scan results before using.

EVM BNB Band Trader

v0.1.0

Automate BNB Chain swing trades with wallet-key execution, buying at trigger price and managing 5% take-profit and 3% stop-loss levels.

0· 277·1 current·1 all-time
by@happyrstudent
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
VirusTotalVirusTotal
Suspicious
View report →
OpenClawOpenClaw
Benign
medium confidence
Purpose & Capability
Name/description align with requested inputs and behavior: the script requires an EVM private key, BNB RPC URL, token and price/size parameters which are expected for a wallet-key trading bot.
Instruction Scope
SKILL.md and the script instruct setting sensitive env vars and running the Python script; that's within scope. However SKILL.md claims safety controls (e.g., 'Refuse run if gas or balance insufficient') that are not implemented in the provided code. The code only validates key format and required envs and uses mock quote/swap placeholders rather than real quote or signing/broadcast logic.
Install Mechanism
No install spec and no external downloads; the skill is an instruction + local Python script. No third-party packages or network installs are performed by the skill itself.
Credentials
Requested environment variables (EVM_PRIVATE_KEY, BNB_RPC_URL, TOKEN_OUT, pricing/size/timeout params) are proportionate to a trading bot. That said, providing a private key via environment is sensitive; the skill does not request unrelated credentials.
Persistence & Privilege
always is false and there are no install-time hooks or system-wide configuration changes. The skill does not request persistent elevated privileges.
Assessment
This is a prototype trading bot that matches its description, but it contains placeholders and lacks several promised safety checks. Before trusting it with real funds: (1) inspect and test the code locally and run only in dry-run mode first; (2) do not place a main wallet private key on a shared machine or CI — prefer a dedicated, low-value/test wallet or external signing (hardware wallet or remote signer); (3) implement real price-quoting, router/aggregator swap logic, transaction signing, and explicit gas/balance checks (the script currently uses mock_get_price/mock_swap); (4) use a trusted BNB RPC endpoint and consider rate/latency implications; (5) run in an isolated environment and limit network exposure; (6) consider additional logging/auditing and automated kill-switches. If you need this to run autonomously, understand the risk of giving an agent code that can access a private key — enable only after adding hardened signing and balance checks.

Like a lobster shell, security has layers — review code before you run it.

latestvk97a7d3az71rw1gqwadxq9kng582aya1

License

MIT-0
Free to use, modify, and redistribute. No attribution required.
Termshttps://spdx.org/licenses/MIT-0.html

Comments