Crypto Trading Bot V7
Security checks across malware telemetry and agentic risk
Overview
No malware or exfiltration is evident, but the skill advertises automated leveraged crypto trading through exchange APIs without clear credential scopes or live-trade approval safeguards.
Review carefully before granting any exchange access. Treat the included code as backtesting/strategy material, verify any script before running it, and only use live trading with testnet-first validation, trade-only API keys, strict order/leverage caps, manual approval, and no withdrawal permissions.
VirusTotal
45/45 vendors flagged this skill as clean.
Risk analysis
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
If connected to an exchange, an agent-generated bot could place real spot or futures trades automatically and cause financial losses without per-order review.
This describes automated live order execution across exchanges. The artifacts do not define approval gates, paper-trading defaults, exchange testnet use, order-size limits, or rollback controls for real financial actions.
- 接收TradingView webhook信號 - 自動執行買賣指令 - 支持多交易所對接 ... - Binance, Bybit, OKX API 對接 - 現貨/合約自動化
Use paper trading or exchange testnets by default, require explicit user approval before any live order, cap order size and leverage, add a kill switch and audit logs, and never enable withdrawal permissions.
A user may provide overly powerful exchange credentials, potentially allowing unwanted trades or account actions.
For a skill that advertises Binance/Bybit/OKX API automation, the absence of a declared credential contract leaves exchange API key requirements, scopes, and permission boundaries undefined.
Required env vars: none Env var declarations: none Primary credential: none
Declare the exact credential needs and require narrowly scoped trade-only API keys for selected exchanges and symbols; do not request or use withdrawal, account-transfer, or broad administrative permissions.
A user could accidentally run unreviewed local workspace scripts rather than the code supplied with this skill.
These are user-directed backtest commands, but the provided manifest only includes scripts/v7_strategy/backtest_engine_v7.py, not the referenced v3/v4/v6 workspace files. Running those names would depend on local files outside the reviewed package.
cd /home/user/.openclaw/workspace ... python3 backtest_engine_v3.py python3 backtest_engine_v4.py python3 backtest_engine_v6.py python3 backtest_engine_v7.py
Run only reviewed files by explicit path, inspect any workspace scripts before execution, and update the skill package or documentation so referenced scripts match the manifest.