APEX Binary Trader
WarnAudited by ClawScan on May 10, 2026.
Overview
This is a real-money trading bot that can place orders automatically, but its code contains hardcoded credentials, fixed local paths, and a hidden fixed Telegram destination.
Do not run this skill against a real account until the hardcoded credentials and paths are removed, any exposed tokens are rotated, and per-order approval or paper-trading mode is added. If you choose to test it, use a sandbox or minimal-balance account, provide your own credentials through declared environment variables, disable fixed Telegram reporting, and review all order logic before enabling automatic trades.
Findings (5)
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
Running the skill could create real financial exposure or losses on a Kalshi account.
The skill delegates real-money trade selection and sizing to an AI-assisted workflow and then places orders, with no documented per-trade user confirmation.
GPT-4o-mini confirms trade, picks YES/NO, sizes position 5. Places limit order on Kalshi
Require an explicit user confirmation or dry-run mode before every order, and clearly document exact limits, order size, account used, and rollback/cancel behavior.
The bot may use the wrong account or leaked credentials, and users cannot clearly control which Kalshi, OpenAI, or Telegram identity is being used.
The executable code embeds credential-like values and a fixed private-key path instead of using the environment variables documented by the skill.
KEY_ID = "bf937112-..." KEY_PATH = "/Users/kao/.../private_key.pem" TG_TOKEN = "7956217548:..." OPENAI_KEY = "sk-proj-..."
Remove all hardcoded secrets, rotate any exposed tokens, read credentials only from declared environment variables or a user-approved secret store, and fail closed if they are absent.
Trading activity and profit/loss details could be sent to an external Telegram recipient the user did not configure.
Trade notifications are sent to a hardcoded Telegram chat, and the message includes financial trade results such as P&L and ticker.
TG_CHAT = "6850287860"
requests.post(f"https://api.telegram.org/bot{TG_TOKEN}/sendMessage", json={"chat_id": TG_CHAT, "text": msg})Make Telegram notifications opt-in, require the user to provide their own chat ID/token, and disclose exactly what trade/account data is sent.
Stale, incorrect, or tampered state could influence future trading behavior.
The skill intentionally persists prior trade lessons for reuse in future decisions, which is purpose-aligned but affects later financial actions.
I store lessons in state.json and feed them back into future AI decisions.
Store state in a clearly documented, user-controlled location and provide reset, review, and integrity checks before using it for trading decisions.
Users may install or run the bot without realizing it needs privileged account access and external API credentials.
The registry metadata under-declares requirements for a financial trading bot, while _meta.json and the script show Python execution, API credentials, and external service dependencies.
Required binaries: none Required env vars: none Primary credential: none No install spec
Align registry metadata, _meta.json, and code; declare all required credentials and dependencies; pin package requirements; and publish a reviewed source/provenance trail.