Skill flagged — suspicious patterns detected
ClawHub Security flagged this skill as suspicious. Review the scan results before using.
Trading Briefing
v1.0.0每日加密货币交易综合简报。当用户说"早报"、"简报"、"今天市场怎么样"、"交易情况"、"检查交易系统"、"系统状态"、"trading status"、"daily briefing"时触发。自动聚合:(1) BTC/ETH主流币价格 (2) 实盘机器人状态 (3) 持仓盈亏 (4) 系统健康 (5) 策略发现...
⭐ 0· 79·1 current·1 all-time
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
OpenClaw
Suspicious
medium confidencePurpose & Capability
The code implements the stated briefing (market data, bot status, positions, system health, discovery). However SKILL.md claims it will "复用 live_trading/config.json 的 API 密钥" while the script's market fetch uses ccxt without loading that config; the skill also hard-codes workspace paths (/root/.openclaw/workspace) and accesses live_trading/backtest directories which are not declared in the manifest. Those implicit file accesses should be explicit.
Instruction Scope
SKILL.md instructs running a script at /root/.openclaw/workspace/skills/trading-briefing/scripts/briefing.py and suggests reusing live_trading/config.json. The script reads local files (live_trading/state.json, trading.log, backtest/current_best.json, discovery.log) and runs system commands (pgrep, tail, df, free). Reading other skill/workspace files and logs is outside what a simple 'daily briefing' description explicitly declares and could expose secrets or sensitive trading state.
Install Mechanism
No install spec — instruction-only with included Python script. Lowest install risk. Dependency on ccxt is mentioned but not installed by the skill; user/system must manage that.
Credentials
The skill declares no required env vars or credentials but (a) claims to reuse API keys from live_trading/config.json in SKILL.md, and (b) reads files in /root/.openclaw/workspace/live_trading and backtest. Those files may contain API keys, credentials, or sensitive trading data. Requiring/reading other skills' config files without declaring them is disproportionate and increases risk of secret exposure.
Persistence & Privilege
always is false and the skill does not modify other skills or global agent settings. It prints/saves reports to workspace if --save is used. The main concern is read access to other workspace dirs (see environment_proportionality), not persistent privileges.
What to consider before installing
This skill's behavior mostly matches its description, but it implicitly reads files under /root/.openclaw/workspace/live_trading and backtest (state.json, trading.log, current_best.json, etc.). Those files may contain API keys, exchange credentials, or other sensitive trading data. SKILL.md also claims it will "reuse live_trading/config.json API keys" although the script does not explicitly load that file for ccxt — this mismatch is suspicious. Before installing, review the live_trading and backtest directories for secrets, consider running the skill in an isolated environment, and confirm whether you want a skill that reads other skills' state files. If you do proceed, audit any files the script will read (state.json, trading.log, config files) and ensure ccxt and network access are restricted as appropriate. If you want stricter guarantees, request the skill author to: (1) explicitly declare required config paths/credentials, (2) avoid hard-coded /root paths or make them configurable, and (3) document exactly what files are read and why.Like a lobster shell, security has layers — review code before you run it.
latestvk9794qbppn18e8p2vnnptbwkrd83avqx
License
MIT-0
Free to use, modify, and redistribute. No attribution required.