Apex Trading & Analysis
PassAudited by VirusTotal on May 12, 2026.
Overview
Type: OpenClaw Skill Name: apex-trading Version: 1.0.3 The OpenClaw AgentSkills skill bundle 'apex-trading' is designed for legitimate cryptocurrency trading on the ApeX perpetual futures exchange. All code and documentation (SKILL.md, README.md) consistently align with this stated purpose, providing functionalities for market analysis, portfolio monitoring, and trade execution. Sensitive API credentials (keys, secrets, Omni seed) are explicitly required for private operations, and the documentation includes strong warnings about their security and proper handling (e.g., 'Treat it like a private key/seed phrase and keep it strictly local. Do not share it or commit it.' in SKILL.md and README.md). The scripts communicate with the official ApeX API and CoinGecko for market data, with no evidence of data exfiltration to unauthorized endpoints or malicious execution patterns. The instructions for the AI agent in SKILL.md and README.md include responsible safety guidelines for trading (e.g., 'Confirm trade parameters with user', 'Warn if trade is >20% of account equity'), indicating a focus on secure and controlled operation rather than prompt injection for harmful objectives. Local file I/O (`trading-state.json`) is for legitimate state management. No obfuscation or suspicious dependencies were found.
Findings (0)
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
A mistaken or misinterpreted command could create or cancel real ApeX futures orders, and a close-position action could flip or increase exposure if size or state is wrong.
The script directly places futures orders and can cancel all orders once invoked. Because market orders are created with reduceOnly set to false, a close-position flow is not technically limited to only reducing exposure.
reduceOnly: false, ... const result = await apexClient.privateApi.createOrder(order); ... await apexClient.privateApi.cancelAllOrder(symbol);
Require explicit user approval immediately before every account-changing action, add a reduce-only close command, show a dry run with size/price/account impact, and prefer testnet or restricted API permissions.
Anyone or any process with these values can potentially access private account data and submit trading operations through the skill.
The skill needs highly sensitive account credentials and a signing seed for private ApeX operations. This is expected for trading, but it grants real account authority and is not reflected in the registry credential metadata.
Private operations require API credentials and an Omni seed: - `APEX_API_KEY` - `APEX_API_SECRET` - `APEX_API_PASSPHRASE` - `APEX_OMNI_SEED` ... Treat it like a private key/seed phrase
Use testnet first, keep the seed out of chat and shared files, prefer restricted API keys where ApeX supports them, and only run the skill in a trusted local environment.
Portfolio details may remain on disk after use and could be read by someone with access to the skill directory.
The position checker persists account size and open-position data to a local trading-state.json file. This is local and purpose-aligned, but the retention and exposure of that financial data are not clearly described in SKILL.md.
tradingState.current_positions = positions; tradingState.parameters.account_size = parseFloat(balance.totalEquityValue || '0'); writeFileSync(stateFile, JSON.stringify(tradingState, null, 2));
Review or delete scripts/trading-state.json after use, avoid shared/synced directories, and document what is stored and how to clear it.
Installing dependencies gives third-party package code a role in handling trading credentials and order submission.
The user-directed npm install pulls external packages, including an alpha ApeX connector used for account and order operations. This is expected for the purpose, and a package-lock file is included, but provenance matters because the dependency handles trading credentials.
"dependencies": { "apexomni-connector-node": "0.3.2-alpha.1", "bignumber.js": "^9.1.2", "node-fetch": "^3.3.2" }Install from a trusted environment, verify package sources and lockfile integrity, and avoid updating dependencies blindly when using real trading credentials.