Trading Hub

This package is a full-featured autonomous trading bot whose code and runtime instructions request and use local credentials and register recurring autonomous tasks, but it misstates what it requires and contains prompt-injection signals — proceed only after careful review and containment.

Plain-language next steps and cautions: - This skill is a full autonomous trading bot (scanners, auto-trader, binance API integration) that will register recurring cron jobs to run trades and post reports. Do NOT install it into a production agent without review. - Key mismatch: The skill declares no credentials required but its code reads ~/.openclaw/workspace/USER.md for API keys/secrets. Before installing, inspect USER.md and remove any high-privilege keys or ensure it does not contain secrets you care about. - If you plan to test: use strictly sandboxed credentials (testnet keys or a dedicated sub-account) with minimal permissions (disable withdrawals, set tight trade limits, low balance). Never provide your main exchange API keys. - Disable or do not run the openclaw cron add commands until you audit the scripts. The SKILL.md includes explicit commands that will create scheduled autonomous tasks; run these only after code review and while in an isolated test agent. - Audit the code paths that send data out: check who receives announcements (the cron messages include a hard-coded Feishu user identifier). Verify that reports and logs are not being sent to unknown third parties and remove or change hard-coded recipients. - Because the SKILL.md contains detected unicode-control-chars (possible prompt injection), open the SKILL.md source in a safe text editor and verify there are no hidden instructions or maliciously crafted control sequences. - Run the bot in mock mode first (mock_trade.py / mock_trade_live.py) and review logs in scripts/data before allowing any real trading. Enable a 'kill switch' (e.g., set auto_trade_enabled=false in auto_config.json and kill cron jobs) as a safety precaution. - If you lack code-audit skills, do not install or run this skill with real funds. Consider asking a trusted developer/security reviewer to audit the code for credential exfiltration, unexpected network endpoints, or backdoors.