Skill flagged — suspicious patterns detected
ClawHub Security flagged this skill as suspicious. Review the scan results before using.
openclaw-funding-arb
v1.0.0运行和维护 MEXC 股票合约资金费套利机器人,包含毫秒级触发、资金费率阈值过滤、股票白名单过滤、美股常规时段停盘窗口控制、以及未平仓状态持久化恢复。用户提出启动、调参、排障或改造该套利流程时使用本技能。
⭐ 0· 63·0 current·0 all-time
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
OpenClaw
Suspicious
medium confidencePurpose & Capability
The name, description, SKILL.md, and the included script are coherent: this is a MEXC funding-rate arbitrage bot and the script expects MEXC API key/secret and trading-related environment variables. However the registry metadata lists no required environment variables or primary credential, which is inconsistent with the skill's actual needs.
Instruction Scope
SKILL.md limits runtime actions to copying the provided script, setting MEXC_API_KEY / MEXC_API_SECRET and related env vars, and running the Python script. It documents STATE_FILE usage and tuning parameters. It does not instruct the agent to read unrelated system files or send data to external endpoints beyond the exchange API (based on the provided content).
Install Mechanism
There is no install specification (instruction-only) and the code is provided as a single Python script. No external download URLs, package installs, or extract operations are present in the metadata. Risk from install mechanism is low, but running the script will execute untrusted code on the host.
Credentials
The script requires MEXC_API_KEY and MEXC_API_SECRET (and several optional trading-related env vars) to operate; these are necessary for trading but the registry metadata did not declare them. Requesting trading credentials is proportionate to the stated purpose, but because the metadata omits them, the omission is a practical risk (users may not realize they must supply keys) and increases chances of accidental credential exposure. The script also allows overriding BASE_URL via env var, which could be misused if combined with keys.
Persistence & Privilege
The skill does not request forced/always-on presence and does not modify other skills. It persists a local STATE_FILE for open positions, which is expected for this use-case. Note: because agent invocation is allowed, an agent with access to the skill plus valid API keys could autonomously place trades — consider this when granting keys.
What to consider before installing
This skill contains a real trading bot that will place market orders if you supply valid MEXC API keys. Before installing or running it: (1) do not provide API keys with withdrawal permission — only give the minimum permissions required or use testnet/demo keys; (2) review the entire script for any hardcoded endpoints or unexpected network calls (the script lets BASE_URL be overridden); (3) run it first in an isolated/sandbox environment with small amounts or paper-trading to confirm behavior; (4) ask the publisher to update the registry metadata to declare required env vars (MEXC_API_KEY, MEXC_API_SECRET) so the need is explicit; (5) if you lack the ability to audit the full code, avoid providing live trading credentials. These steps reduce the risk of accidental fund loss or credential misuse.Like a lobster shell, security has layers — review code before you run it.
latestvk9786ekjn5ne3f4pvaqk7f6wc58418mm
License
MIT-0
Free to use, modify, and redistribute. No attribution required.