ClawHub

Trading upbit skill

v1.0.14

Upbit automated trading (aggressive breakout) with cron-friendly run-once commands, TopVolume monitoring, and percent-based budget splitting.

0· 1.2k·2 current·3 all-time
by@kuns9
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
VirusTotalVirusTotal
Benign
View report →
OpenClawOpenClaw
Benign
high confidence
Purpose & Capability
Name/description (Upbit automated trading) match the code and runtime instructions: the code implements monitoring, event enqueueing, position state, risk checks, and order execution via an Upbit client. Declared required binary (node) and credentials (Upbit API keys) are appropriate.
Instruction Scope
SKILL.md and skill.js instruct the agent to run monitor/worker/smoke_test and to store keys in env or config.json. Runtime behavior is limited to local files under resources/ and Upbit API calls. No instructions appear to read unrelated system files or transmit data to external hosts other than Upbit. Note: the docs recommend running a built-in security_check and dry-run first (good).
Install Mechanism
This is instruction-heavy with a package.json listing common dependencies (axios, jsonwebtoken, uuid). No install script or remote download URLs are present; user runs npm install locally which is expected for a Node skill.
Credentials
The skill only requires Upbit API keys (primary: UPBIT_ACCESS_KEY, UPBIT_SECRET_KEY) which is proportional. Minor inconsistency: SKILL.md/README/security text also mentions alternative names (UPBIT_OPEN_API_ACCESS_KEY / UPBIT_OPEN_API_SECRET_KEY) and skill.js comments reference these names too. The actual code uses loadConfig() to obtain cfg.upbit.accessKey/secretKey; verify scripts/config/index.js to confirm how environment variables are mapped to cfg.upbit to avoid misconfiguration.
Persistence & Privilege
always is false; the skill is user-invocable and does not request permanent platform-wide privileges or modify other skills. It creates and manages local resource files (events/positions/heartbeat) inside its own project root, which is expected for a cron-run bot.
Assessment
This skill appears to implement what it claims (an Upbit trading bot). Before installing: (1) run it in dry-run mode and use a test account or minimal funds; (2) inspect scripts/execution/upbitClient.js and scripts/config/index.js to confirm API host usage and how environment variables map to cfg.upbit (there are inconsistent env variable names in docs vs comments); (3) run node skill.js security_check to ensure only api.upbit.com URLs exist; (4) store keys in the platform secret store (not config.json), limit key permissions while testing, and rotate keys after use. If you don't want live trading, ensure execution.dryRun=true and verify the Upbit client will not send requests that aren't allowlisted. Finally, be aware that npm install will pull third-party dependencies (axios, jsonwebtoken, uuid) — audit them if you require stricter supply-chain controls.

Like a lobster shell, security has layers — review code before you run it.

latestvk9762w12zykehx77tt0e5ee1pd8162y1

License

MIT-0
Free to use, modify, and redistribute. No attribution required.
Termshttps://spdx.org/licenses/MIT-0.html

Runtime requirements

Binsnode
EnvUPBIT_ACCESS_KEY, UPBIT_SECRET_KEY
Primary envUPBIT_ACCESS_KEY

Comments