Trading upbit skill
SuspiciousAudited by ClawScan on May 10, 2026.
Overview
This is a disclosed Upbit trading bot, but it can run scheduled real trades with API keys and trusted local event files, so it needs careful review before use.
Treat this as a high-risk automated trading system, not a simple informational skill. Test with dryRun=true, use a separate low-balance Upbit account or tightly restricted API key, review events.json and positions.json before enabling cron, and do not enable live orders until you understand the strategy and rollback process.
Findings (5)
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
If dry-run is disabled or the strategy behaves unexpectedly, the bot can automatically buy or sell crypto and cause financial loss.
The skill is designed to turn queued trading events into orders and to run repeatedly under cron, so live configuration can produce real financial trades without per-order confirmation.
Processes events in a worker (places orders or dry-run) ... Worker (every 1 minute): `cd <skillRoot> && node skill.js worker_once`
Run in dry-run first, use a separate low-balance account or restricted API key, keep conservative budgets and exclusions, and add explicit approval or validation before enabling live scheduled orders.
The bot may act on holdings you did not intend it to trade, including manually purchased assets.
The bot's account access is not limited to positions it created itself; it can bring existing account holdings under its management logic.
This allows the monitor/worker to manage assets bought outside this bot (manual trades, previous runs, partial fills, etc.).
Use a dedicated account or API key for bot funds only, review or disable imported-holdings behavior if possible, and set explicit market exclusions before live use.
A stale, mistaken, or tampered event file could trigger real trades when the cron worker runs.
The worker treats the persistent resources/events.json queue as authoritative and executes pending entries across runs.
const events = await readEvents(); const pending = events.filter(shouldProcess); ... const res = await executor.execute(e);
Protect the resources directory, review and clear events.json before enabling live trading, and consider signing/validating events or requiring approval for live orders.
Once scheduled, the bot can keep running and trading even when you are not actively watching.
The persistence is user-directed and documented, but it creates an ongoing autonomous worker with trading authority.
openclaw cron add ... --cron "* * * * *" ... --command "cd /Users/sgyeo/.openclaw/workspace/skills/trading-upbit-skill && node skill.js worker_once"
Only add cron jobs after dry-run testing, monitor account activity, and know how to disable the cron entries quickly.
Future installs may fetch dependency versions that were not exactly reviewed here.
The README instructs npm install, and these semver ranges can resolve to newer package versions; no lockfile is shown in the manifest.
"dependencies": { "axios": "^1.13.5", "jsonwebtoken": "^9.0.3", "uuid": "^13.0.0" }Install from a trusted source, review the dependency tree, and prefer a committed lockfile or pinned versions for live trading deployments.