Crypto Strategy Suite
WarnAudited by ClawScan on May 18, 2026.
Overview
This is a disclosed crypto-trading skill, but it asks for live exchange keys and can start automated spot/futures trading without clearly bounded limits or stop controls.
Only install this if you intentionally want an agent to help run crypto trades. Start on testnet, use a small isolated exchange subaccount, create trade-only/no-withdrawal API keys with IP allowlisting, set hard notional and leverage limits, and understand the SkillPay per-call billing before enabling live automation.
Findings (5)
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
If the exchange key is broad, the agent or a compromised workflow could place trades or futures positions that cause financial loss.
The skill requires live exchange credentials for accounts that can support spot and futures trading, but does not specify constrained API permissions or other credential safety boundaries.
export EXCHANGE_API_KEY="your-api-key" export EXCHANGE_API_SECRET="your-api-secret" # 交易所 API(支持 Binance / OKX / Bybit)
Use only a testnet or isolated subaccount first; create trade-only, no-withdrawal API keys with IP restrictions and minimal balances.
The skill could place multiple automated spot or futures trades faster than the user expects, potentially losing funds.
After a single user selection, including enabling all strategies, the skill says it will automatically configure and start strategy monitoring, but it does not describe per-order confirmation, hard position caps, or a stop procedure.
[A] 全部启用 ... 选择后 Skill 将自动配置参数并启动策略监控循环。
Require explicit confirmation before live orders, add maximum notional and leverage caps, default to dry-run/testnet, and provide a clear stop/cancel-all workflow.
Trading automation may continue acting after the initial invocation, including closing or opening positions without fresh user review.
The skill describes long-running monitoring and automated position management, but does not define runtime limits, user re-approval intervals, or cleanup behavior.
启动策略监控循环 ... 时间止损在持仓超过 4 小时无盈利时自动平仓
Add explicit runtime duration, status reporting, manual stop instructions, and automatic cancellation/position cleanup rules.
The clean static scan should not be treated as proof that live trading behavior is safely implemented.
Instruction-only skills can be legitimate, but for live financial automation this means the supplied artifacts do not provide reviewable code showing how key handling and order limits are enforced.
No code files present — this is an instruction-only skill. The regex-based scanner had nothing to analyze.
Review any actual runtime implementation before providing live keys, and prefer skills with explicit, auditable safeguards.
Repeated or unintended invocations may incur charges through the third-party billing service.
The per-call SkillPay billing is disclosed, but users should notice that invoking the skill can trigger external billing before strategy execution.
本 Skill 为付费 Skill,每次调用通过 SkillPay 自动计费 ... amount: 0.003
Confirm the billing terms and invocation settings before use, especially if the agent can call the skill without a direct slash command.