Skill flagged — suspicious patterns detected
ClawHub Security flagged this skill as suspicious. Review the scan results before using.
Crypto Market Analysis
v1.0.1此技能由Tradingbase团队开发,旨在提供全面的加密货币市场分析技能。从币安获取所有币种的实时行情数据,计算多种技术指标(MACD, KDJ, RSI, CCI, BOLL, WR, PSY, BRAR, DMI),并利用用户连接的LLM进行市场分析。支持短期(默认1小时K线)和中长期(默认1天K线)分析,...
⭐ 1· 250·0 current·0 all-time
byTradingbase.AI@lunawolves07
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
OpenClaw
Suspicious
medium confidencePurpose & Capability
Name/description match the included scripts: scripts fetch Binance public REST endpoints and compute many technical indicators with TA-Lib. However, the code includes a hard-coded PYTHON_EXECUTABLE set to a Windows Anaconda path (E:\\anaconda\\python.exe) which is unrelated to the stated capability and unlikely to exist on most target systems — this looks like an environment-specific artifact rather than a necessary design choice.
Instruction Scope
SKILL.md describes only fetching public Binance data and passing structured indicator data to the connected LLM. The code sticks to those tasks (requests to Binance, indicator calculations). The runtime behavior does include subprocess calls to run bundled scripts and an attempt to auto-install TA-Lib; the instructions do not ask to read unrelated user files or secrets. The main script is truncated in the provided listing, so confirmation of LLM invocation details is incomplete.
Install Mechanism
There is no declared install spec, but main_analysis.py will attempt to install TA-Lib at runtime by invoking pip through a hard-coded Python executable via subprocess. Runtime package installation without explicit user consent can modify the host environment and execute package installation scripts (compiled extensions). The hard-coded Python path is brittle and may cause unexpected behavior if that executable exists and points to a different environment. This is a moderate-to-high risk operationally (unexpected installs/execution).
Credentials
The skill does not declare or require any credentials or environment variables and the code does not attempt to read secrets. It uses public Binance endpoints only. The only environment-related actions are setting PYTHONPATH/PYTHONHOME for subprocesses, which is implementation detail rather than credential access.
Persistence & Privilege
The skill is not always-enabled and does not request persistent system privileges. It does not modify other skills' configs. The only persistent effect could be the runtime pip install of TA-Lib which alters the Python environment, but the skill itself does not claim or request elevated/persistent platform privileges.
What to consider before installing
This skill appears to implement its stated purpose (fetching Binance public data and computing indicators), but exercise caution before installing/using it:
- Hard-coded Python path: main_analysis.py uses PYTHON_EXECUTABLE = "E:\\anaconda\\python.exe" and runs pip through that executable. This is brittle and odd — if that path exists on your machine it will be invoked; if not, the installation attempt will fail. Ask the author to remove or make this configurable (use sys.executable or an explicit configurable python path).
- Runtime pip install: the script attempts to auto-install TA-Lib via subprocess. That modifies your Python environment and runs third-party install steps (potentially compiling native code). Prefer installing dependencies yourself in a dedicated virtualenv/container rather than letting the skill auto-install.
- Network calls: the skill calls Binance public APIs (expected). There are no declared secrets, but review the truncated portion of main_analysis.py to confirm there are no other external endpoints (LLM invocation code was not visible in full).
- Recommendation: only run this skill in an isolated environment (virtualenv, container, or sandbox) after inspecting/modifying main_analysis.py to remove or parameterize the hard-coded python path and to disable automatic installs. If you plan to trust it, ask the publisher for a reputable homepage/source or for the missing portion of the main script so you can verify LLM calls and final behavior. If you are not comfortable auditing the code, do not run it against production environments or systems with sensitive data.Like a lobster shell, security has layers — review code before you run it.
analysisvk977etprdnskd68gd9w4ywefzs82tk7bbinancevk977etprdnskd68gd9w4ywefzs82tk7bcryptovk977etprdnskd68gd9w4ywefzs82tk7blatestvk97d2qn6dzwgtphhb2s1zjq7kx82vctkmarketvk977etprdnskd68gd9w4ywefzs82tk7btechnical-indicatorsvk977etprdnskd68gd9w4ywefzs82tk7b
License
MIT-0
Free to use, modify, and redistribute. No attribution required.