ClawHub
Skill flagged — suspicious patterns detected

ClawHub Security flagged this skill as suspicious. Review the scan results before using.

Exchange Copy Trading

v0.1.0

Guides OpenClaw to open a browser and complete exchange copy-trading (follow a trader) on supported venues: navigate to the copy-trading settings URL, fill t...

0· 30·0 current·0 all-time
by@luyao-inc
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
VirusTotalVirusTotal
Suspicious
View report →
OpenClawOpenClaw
Suspicious
medium confidence
!
Purpose & Capability
The declared purpose (automating a browser to follow a trader on Bitget) aligns with the instructions (navigate, fill amount, click confirm). However the example and reference URLs use the domain bitget.fit rather than the widely-known bitget.com; that domain mismatch is unexpected for a skill that will execute financial transactions and could indicate a third-party/mirroring site or a phishing target.
Instruction Scope
SKILL.md explicitly instructs the agent to open a browser, locate the amount field, fill it, and click follow/confirm. It also forbids logging in or collecting passwords and requires user confirmation of amounts and terms. This scope is consistent with the stated purpose, but it permits autonomous completion of monetary transactions if the agent is allowed to act — the skill does instruct to pause for legal-term acceptance and for manual handling of captchas or failures.
Install Mechanism
Instruction-only skill with no install steps, no downloaded code, and no required binaries — minimal installation footprint.
Credentials
The skill requests no environment variables, credentials, or config paths and assumes an already-logged-in browser session. That is proportionate to a browser-automation-only workflow, provided the agent does not attempt to read stored credentials or other unrelated secrets.
Persistence & Privilege
always:false (normal). disable-model-invocation is false (agent can be invoked autonomously), which is platform-default; because the skill can perform financial actions, you should ensure explicit confirmation is required before any submit/confirm step rather than allowing silent autonomous runs.
What to consider before installing
This skill is coherent with its stated purpose (automating a follow/trade flow in a browser), but it references bitget.fit — verify that is an official/trusted endpoint before using. Because the skill can click to submit real financial orders, only use it if you: 1) confirm the exact URL is legitimate (prefer official domains, e.g., bitget.com), 2) keep your session already logged in and never share credentials or 2FA, 3) require an explicit, visible user confirmation step before the agent performs the final submit, and 4) test with minimal funds or in a sandbox first. If you cannot verify the domain or provenance of this skill, do not let it perform autonomous submits — prefer step-by-step manual guidance from the agent instead. If possible, ask the publisher for documentation proving the intended domain and why bitget.fit is used.

Like a lobster shell, security has layers — review code before you run it.

latestvk97d71c3c3ba1r3y98z4ymjs7n842hwf

License

MIT-0
Free to use, modify, and redistribute. No attribution required.
Termshttps://spdx.org/licenses/MIT-0.html

Runtime requirements

📊 Clawdis

Comments