Etrade Pelosi Bot

v1.0.0

Mirror congressional stock trades with automated broker execution and risk management

⭐ 4· 1.8k·3 current·3 all-time

by@mainfraame

Security Scan

VirusTotal

Suspicious

View report →

OpenClaw

Suspicious

medium confidence

Purpose & Capability

The skill's declared purpose (mirror congressional trades and execute them via a broker) aligns with the code and scripts (broker adapters, trade engine, cron setup, Telegram notifier). However the registry metadata claims no required env vars/credentials while SKILL.md and multiple config files clearly expect BROKER_API_KEY, BROKER_API_SECRET and BROKER_ACCOUNT_ID (and optional TELEGRAM_*). That metadata mismatch is an incoherence an installer should notice. The bot also targets specific politicians (Pelosi, others) which is consistent with the stated purpose but may be ethically/questionably narrow — this is not a security finding per se but worth noting.

Instruction Scope

Runtime instructions and scripts ask the user/agent to create config files containing API keys or to read secrets from environment variables or config/secrets.json, to run interactive auth flows, and to run setup scripts that install packages and configure cron jobs. The code writes auth state and access tokens to local files (e.g., .auth_state.json, .access_tokens.json, config/config.json), and the setup scripts install services and schedule recurring cron jobs. These actions go beyond read-only data-fetching: they create persistent automation that can place trades and run background processes. The SKILL.md also recommends running scripts that will modify the host (cron), which increases risk if done without review.

ℹ

Install Mechanism

There is no formal install spec in the registry (instruction-only), but the bundle contains many executable scripts (final_setup.sh, setup_*.sh, install_deps.sh, scripts/setup_cron.sh) that perform pip installs and file writes. The package does not download code from obscure servers; it relies on pip for dependencies and bundled scripts. That is moderate risk: no remote arbitrary archive downloads were observed, but the included scripts install packages and lay down persistent cron entries and control scripts on the host.

Credentials

The credentials the project needs (broker API key/secret and account id, optional Telegram token/chat id) are appropriate for automated brokerage access. However the registry metadata lists no required env vars while SKILL.md and config files declare those secrets — an incoherence. Additionally, docs/QuickStart include what look like explicit API key/secret strings in examples; embedding credentials or sample keys in documentation is suspicious and could indicate accidental exposure or encourage insecure copying. The code writes tokens to local files (un-encrypted), which is expected for this type of tool but increases the need for careful handling of these secrets.

Persistence & Privilege

Although 'always' is false, the skill (via its scripts and SKILL.md instructions) sets up cron jobs, creates background runner scripts (nohup), and writes configuration and token files. That creates persistent automation on the host that will continue running independently of the AI agent. This is within the functional scope of an automated trading system but represents significant persistence and privilege (ability to place financial orders) and must be treated with elevated caution.

What to consider before installing

What to consider before installing or running this skill: - Registry vs SKILL.md mismatch: The registry says no required credentials, but SKILL.md and config files require BROKER_API_KEY, BROKER_API_SECRET and BROKER_ACCOUNT_ID (and optionally TELEGRAM tokens). Treat that as a red flag — confirm exactly what secrets the package will ask for before proceeding. - Do not run with real brokerage credentials until you audit the code. The bot will store access tokens and may place real orders. Test only in a broker sandbox or with throwaway credentials and tiny position sizes. - Review setup scripts and cron installer before executing. The bundle includes scripts that will install packages, write config files, and add cron jobs and background processes. If you run them, they will create persistent automation that can trade autonomously. - Check for hardcoded/example keys. Quick start docs include example API keys/secrets — verify they are fake. Never paste keys from docs into production config without verifying their origin. - Inspect where tokens and config are written. The code stores unencrypted tokens in files like .access_tokens.json and config/config.json. Consider using a secrets manager or protecting those files and limiting filesystem access. - Review network endpoints in code. The package uses E*TRADE sandbox/production endpoints and api.telegram.org for notifications — verify these are the only external endpoints, and that there are no hidden exfiltration URLs in the omitted files. - If you allow automation: enable dry-run/sandbox mode first, limit trade sizes, and retain an easy manual kill-switch (cron removal, pkill, or stop script). Monitor logs closely. If you want, I can: - list the files that write tokens/credentials (paths and filenames) so you can inspect them, or - scan the omitted source files for network calls, hardcoded domains, or suspicious code patterns and report findings (this improves confidence).

Like a lobster shell, security has layers — review code before you run it.

latestvk97bmg9y81f76j2bvv75f7h43h80byrw

1.8kdownloads

4stars

1versions

Updated 14h ago

v1.0.0

MIT-0

ClawBack

Mirror congressional stock trades with automated broker execution

ClawBack tracks stock trades disclosed by members of Congress (House and Senate) and executes scaled positions in your brokerage account. Built on the premise that congressional leaders consistently outperform the market due to informational advantages.

Features

Real-time disclosure tracking from official House Clerk and Senate eFD sources
Automated trade execution via broker API (E*TRADE adapter included)
Smart position sizing - scales trades to your account size
Trailing stop-losses - lock in profits, limit losses
Risk management - drawdown limits, consecutive loss protection
Telegram notifications - get alerts for new trades and stop-losses
Backtesting engine - test strategies on historical data

Performance (Backtest Results)

Strategy	Win Rate	Return	Sharpe
3-day delay, 30-day hold	42.9%	+6.2%	0.39
9-day delay, 90-day hold	57.1%	+4.7%	0.22

Congressional leaders have outperformed the S&P 500 by 47% annually according to NBER research.

Quick Start

# Clone and setup
git clone https://github.com/openclaw/clawback
cd clawback
python3 -m venv venv && source venv/bin/activate
pip install -r requirements.txt

# Configure secrets
python3 src/config_loader.py setup

# Authenticate with broker
python3 src/main.py interactive
# Select option 1 to authenticate

# Set up automation
./scripts/setup_cron.sh

Configuration

ClawBack reads secrets from environment variables or config/secrets.json:

{
  "BROKER_API_KEY": "your-broker-api-key",
  "BROKER_API_SECRET": "your-broker-api-secret",
  "BROKER_ACCOUNT_ID": "your-account-id",
  "TELEGRAM_BOT_TOKEN": "optional-for-notifications",
  "TELEGRAM_CHAT_ID": "optional-for-notifications"
}

Supported Brokers

ClawBack uses an adapter pattern for broker integration. Each broker implements a common interface defined in broker_adapter.py.

Broker	Adapter	Status
E*TRADE	`etrade_adapter.py`	Supported
Schwab	`schwab_adapter.py`	Planned
Fidelity	`fidelity_adapter.py`	Planned

To specify which broker to use, set broker.adapter in your config:

{
  "broker": {
    "adapter": "etrade",
    "credentials": {
      "apiKey": "${BROKER_API_KEY}",
      "apiSecret": "${BROKER_API_SECRET}"
    }
  }
}

Data Sources

All data is scraped directly from official government sources:

Source	Data	Method
House Clerk	House PTR filings	PDF parsing
Senate eFD	Senate PTR filings	Selenium scraping

No third-party APIs required for congressional data.

Strategy Settings

Edit config/config.json to customize:

{
  "strategy": {
    "entryDelayDays": 3,
    "holdingPeriodDays": 30,
    "purchasesOnly": true,
    "minimumTradeSize": 50000
  },
  "riskManagement": {
    "positionStopLoss": 0.08,
    "trailingStopActivation": 0.10,
    "trailingStopPercent": 0.05,
    "maxDrawdown": 0.15
  }
}

Commands

# Interactive mode
python3 src/main.py interactive

# Single check cycle
python3 src/main.py run

# Scheduled trading
python3 src/main.py schedule 24

# Run backtest
python3 src/backtester.py

Cron Automation

# Install cron jobs
./scripts/setup_cron.sh

# Manual runs
./scripts/run_bot.sh check    # Check for new trades
./scripts/run_bot.sh monitor  # Check stop-losses
./scripts/run_bot.sh full     # Both

Architecture

clawback/
├── src/
│   ├── main.py              # Main entry point
│   ├── congress_tracker.py  # Congressional data collection
│   ├── trade_engine.py      # Trade execution & risk management
│   ├── broker_adapter.py    # Abstract broker interface
│   ├── etrade_adapter.py    # E*TRADE broker implementation
│   ├── database.py          # SQLite state management
│   └── config_loader.py     # Configuration handling
├── config/
│   ├── config.json          # Main configuration
│   └── secrets.json         # API keys (git-ignored)
├── scripts/
│   ├── run_bot.sh           # Cron runner
│   └── setup_cron.sh        # Cron installer
└── data/
    └── trading.db           # SQLite database

Risk Disclaimer

This software is for educational purposes only. Trading stocks involves substantial risk of loss. Past performance of congressional trades does not guarantee future results. The authors are not financial advisors. Use at your own risk.