Skillv1.5.4

ClawScan security

Superior Trade (Deprecated) · ClawHub's context-aware review of the artifact, metadata, and declared behavior.

Scanner verdict

BenignMar 25, 2026, 4:29 AM

Verdict: benign
Confidence: high
Model: gpt-5-mini
Summary: The skill's requests and runtime instructions match its stated purpose (backtesting and deploying strategies on Superior Trade) and only require a single API key that is consistent with that purpose; no installs or unrelated secrets are requested.
Guidance: This skill appears to be what it claims: a client for Superior Trade that needs one API key. Before installing or using it: (1) Treat SUPERIOR_TRADE_API_KEY as powerful — it can start real trades. Only supply a key if you trust the platform and the agent. (2) Use backtests and verify behavior in the Superior Trade dashboard before approving any live deployment. (3) Confirm the agent prompts you and you explicitly approve every live deployment summary before it runs. (4) Do not paste private keys or seed phrases into chat; follow the SKILL.md instruction to store the API key in your agent's credential manager/env. (5) Note the skill is deprecated — consider installing the recommended newer package (@superior-ai/superiortrade) and verify URLs (use https://account.superior.trade, not app.superior.trade). Finally, rotate the API key if you stop trusting the agent or the skill.

Review Dimensions

Purpose & Capability: okThe skill is an API-client for Superior Trade backtests and deployments. The declared primary credential (SUPERIOR_TRADE_API_KEY) and the listed external endpoints (api.superior.trade and a read-only hyperliquid info endpoint) are consistent with the described functionality. There are no unrelated binaries, packages, or unrelated credentials requested.
Instruction Scope: okSKILL.md instructs the agent to read the SUPERIOR_TRADE_API_KEY from environment/credential manager, avoid asking for private keys or seed phrases, and to require explicit user confirmation before any live deployment. It does not direct the agent to read arbitrary local files or unrelated environment variables. The explicit live-deploy confirmation requirement reduces risk of accidental real trades.
Install Mechanism: okThis is instruction-only (no install spec, no code to write to disk). That minimizes installation risk — nothing is downloaded or executed by an installer.
Credentials: noteThe single required secret (SUPERIOR_TRADE_API_KEY) is proportionate to the skill's purpose, but note this API key can create and start live trading deployments that execute real trades with the user's platform-managed wallet. That is a high-impact capability — it is justified for a deployment client but requires user caution. Also note a minor metadata inconsistency: registry summary initially listed 'Required env vars: none' while the SKILL.md declares SUPERIOR_TRADE_API_KEY as required.
Persistence & Privilege: okThe skill is not always-enabled, does not request system-level persistence, and does not modify other skills or system configurations. Autonomous invocation is allowed by platform defaults, but SKILL.md requires explicit user confirmation before live trades.