EntradeX
PassAudited by VirusTotal on May 11, 2026.
Overview
Type: OpenClaw Skill Name: entradex Version: 0.1.16 The skill bundle is designed to interact with the EntradeX CLI for trading, which inherently involves high-risk actions (real trades) and sensitive credentials (DNSE_API_KEY, DNSE_API_SECRET). However, the `SKILL.md` file is transparent about these capabilities and explicitly warns the user about the risks, recommending verification of the `entradex-cli` npm package and caution with credentials. There is no evidence of prompt injection against the agent, data exfiltration, malicious execution, persistence mechanisms, or obfuscation within the skill bundle itself. The skill's functionality aligns with its stated purpose, and the security warnings indicate responsible design rather than malicious intent.
Findings (0)
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
An agent could place, change, or cancel real trades if given valid credentials and trading tokens, which could cause financial loss or unwanted account activity.
The skill exposes live order placement, modification, and cancellation commands for a financial trading account. Although this is disclosed, the instructions do not require explicit user confirmation, a dry-run, or another guard before live trade actions.
This skill can place **real trades** using provided credentials ... `entradex trade order ...`; `entradex trade modify ...`; `entradex trade cancel ...`
Use only with explicit user approval for each live trade, confirm account, symbol, side, price, quantity, and order type before execution, and prefer dry-run or a limited-permission/test account where possible.
If these credentials or tokens are exposed or misused, someone may be able to access trading account data or perform trades.
The skill needs DNSE API keys, secrets, and trading tokens to perform its stated trading workflows. This is purpose-aligned, but these credentials authorize sensitive account and trade operations.
Credential priority order: 1. Config file (`~/.entradex-cli/config.json`) ... 2. Environment variables (`DNSE_API_KEY`, `DNSE_API_SECRET`) ... `tradingToken`
Use limited-scope credentials if available, protect the local config file, avoid sharing command logs, clear stored credentials when finished, and rotate keys if misuse is suspected.
A compromised or unexpected npm package version could run local code and handle trading credentials.
The skill relies on installing an external npm package whose executable code is not included in the provided artifacts. This is expected for a CLI wrapper skill, and the skill does advise users to verify the package.
`npm i -g entradex-cli` ... `Verify the npm package: npm view entradex-cli`
Inspect the npm package, verify the author and repository, and consider pinning a trusted version before using it with real trading credentials.