Skill flagged — suspicious patterns detected
ClawHub Security flagged this skill as suspicious. Review the scan results before using.
Crypto Trading Bot V7
v1.0.0加密貨幣交易機器人開發 - 幫你整自動交易Bot,支持Pine Script、Python、CCXT API對接。 適用於:(1)整TradingView信號Bot (2)CEX/DEX API自動化 (3)套利機器人 (4)止盈止損策略 (5)策略回測 (6)高级风控 (7)多策略框架
⭐ 0· 52·0 current·0 all-time
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
OpenClaw
Suspicious
medium confidencePurpose & Capability
The name/description advertise TradingView webhooks, CCXT API integration, CEX/DEX automation and Pine Script support, but the repository contains only backtest code (strategy_modules.py and backtest_engine_v7.py) and text files. There is no CCXT usage, no webhook/server code, no API credential handling, and the Pine Script file referenced in SKILL.md is absent from the manifest. Several referenced backtest versions (v3,v4,v6 etc.) are mentioned but not included. This mismatch suggests the package is not what it claims to be.
Instruction Scope
SKILL.md runtime instructions focus on running local backtests (activating a venv, running python backtest scripts) and refer to files under /home/user/.openclaw/workspace. They do not instruct accessing or storing exchange API keys, nor do they provide webhook setup instructions despite claiming webhook support. The instructions reference scripts/versions that are not present, which is inconsistent and could mislead users into thinking live-trading components exist when they do not.
Install Mechanism
There is no install spec or external download — the skill is instruction/code-only. That minimizes supply-chain risk (nothing is fetched or installed automatically). However, the code assumes standard Python packages (pandas, numpy) without declaring them.
Credentials
The description implies the need for exchange credentials and webhook endpoints, but requires.env and primary credential are empty. The code uses hardcoded filesystem paths (e.g., DATA_PATH = '/home/user/.openclaw/workspace/crypto_data/SOLUSDT_1h.csv'), which will read user-local files but does not declare or request credentials. This disparity (advertised live features but no credential handling) is an incoherence that warrants caution.
Persistence & Privilege
The skill does not request persistent or privileged presence: always is false, there are no install hooks, and it does not appear to modify other skills or global config. Autonomy (model invocation) is allowed by platform defaults but is not combined here with other high-risk indicators.
What to consider before installing
This package is inconsistent: it advertises live trading features (webhooks, CCXT/CEX automation, Pine Script integration) but only provides local backtesting/strategy code. Before installing or running it: (1) don't supply real exchange API keys unless you confirm the code implements secure CCXT integration and stores keys safely — none is provided here; (2) inspect the code yourself or run it in an isolated/sandbox environment (use a disposable VM or container and testnet keys) to verify behavior; (3) verify the missing files and versions referenced in SKILL.md (other backtest versions, Pine Script) — their absence could be an omission or a sign of incomplete packaging; (4) ensure required Python dependencies (pandas, numpy) are installed in a virtualenv; (5) if you expect a live trading bot, contact the author for the live-integration modules or obtain a package that explicitly includes and documents CCXT/webhook implementation and secure credential handling.Like a lobster shell, security has layers — review code before you run it.
latestvk9761a830p3m0d7d28dae7abas83nz4e
License
MIT-0
Free to use, modify, and redistribute. No attribution required.