Skill flagged — suspicious patterns detected
ClawHub Security flagged this skill as suspicious. Review the scan results before using.
Crypto Trading Agents
v1.0.2多Agent加密货币量化交易系统 — 基于 TradingAgents 多Agent框架 + Binance 执行层。 支持:技术分析、消息分析、多Agent辩论、自动化交易信号生成、Binance 现货下单。 适用场景:研究量化策略、自动交易Bot开发、加密货币组合分析。
⭐ 1· 116·0 current·0 all-time
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
OpenClaw
Suspicious
medium confidencePurpose & Capability
The skill claims to be a multi‑agent crypto trading system and the SKILL.md legitimately requires Binance API keys, optional LLM API keys (OpenAI/Google/Anthropic) and a WeChat webhook for notifications — these are appropriate for the described functionality. However, the registry metadata declares no required environment variables or primary credential while the documentation clearly instructs creating a .env with multiple sensitive keys; that metadata omission is an inconsistency that reduces transparency.
Instruction Scope
The SKILL.md instructions stay within the stated domain: cloning a GitHub repo, creating a virtualenv, installing dependencies, reading a .env, calling LLMs for analysis, and executing trades via Binance. This scope is expected for an automated trading skill. Risks to note: the instructions enable automatic live trading (CLI flags and AutoTradingSession can execute market orders) so a user can accidentally trade real funds if BINANCE_TESTNET is not set or API keys have broad permissions.
Install Mechanism
There is no formal registry install spec, but scripts/setup.sh will curl a remote installer (https://astral.sh/uv/install.sh) and pipe it to sh to install 'uv'. Downloading and executing a remote install script from a non‑centralized host is higher risk and should be reviewed manually before running. The remainder of the install (creating venv, pip install .) is typical.
Credentials
The environment variables required by the runtime (OPENAI_API_KEY/GOOGLE_API_KEY/ANTHROPIC_API_KEY, BINANCE_API_KEY, BINANCE_API_SECRET, WECHAT_WEBHOOK_URL) are proportionate to the functionality. The concern is that the skill metadata does not declare these required credentials, which hides the fact that sensitive secrets will be used. Also note: providing Binance API keys grants trading capability; keys with withdrawal permissions would be dangerous.
Persistence & Privilege
The skill is not marked always:true and does not request system-level persistence or cross-skill configuration. It runs as an instruction-only package and its scripts create and use a local virtual environment and pip installs, which is normal for Python projects.
What to consider before installing
Before installing or running this skill: 1) Treat the registry metadata omission as a red flag — the SKILL.md requires sensitive keys (Binance API key/secret, optional LLM API keys, WeChat webhook). Expect to supply secrets. 2) Do NOT run scripts/setup.sh or any curl | sh commands without reviewing them; the installer fetches https://astral.sh/uv/install.sh which is not a central package host. Consider manually installing dependencies (virtualenv, pip) instead. 3) Create Binance API keys with minimal permissions (spot trading only, no withdrawals) and prefer testnet (BINANCE_TESTNET=true) while testing. 4) Inspect the upstream GitHub repository (https://github.com/TauricResearch/TradingAgents.git) and the package code before running, and verify the repository identity/maintainer. 5) Keep secrets out of shared files; use a dedicated secrets manager or environment variables scoped to the test environment. 6) If you enable auto-trading, start with very small amounts and monitor logs; consider running first in an isolated VM or container. If you want, I can list concrete checks to run on the GitHub repo's code (search for network calls, hidden webhooks, or commands that could withdraw funds) or produce safer install commands that avoid piping remote scripts.Like a lobster shell, security has layers — review code before you run it.
latestvk97es4bjk70wvv8kw9ry6ezjq583k8vp
License
MIT-0
Free to use, modify, and redistribute. No attribution required.