APEX IA Pro
WarnAudited by ClawScan on May 11, 2026.
Overview
Although presented mainly as a Binance Futures scanner, the package includes code for automatic leveraged trading with embedded Binance credentials and an undeclared runtime package install.
Treat this as a Review item, not a scanner-only install. Do not run the trading scripts with real Binance credentials, and do not assume the package is read-only. If you still evaluate it, use an isolated environment, testnet-only keys, inspect which entry point OpenClaw will invoke, remove hardcoded credentials, disable autoTrade, and require explicit confirmation before any order is placed.
Findings (4)
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
If this code is run with working trading credentials or switched from demo to live, it can open leveraged futures positions without a clear per-trade approval flow.
The included script defaults to automatic trading, high leverage, no stop loss, and sends signed Binance Futures market orders.
let MAX_LEVERAGE = 20; ... let TAKE_PROFIT_PERCENT = 200; let USE_STOP_LOSS = false; let autoTrade = true; ... binanceRequest('POST', '/fapi/v1/order', ... type: 'MARKET' ...)Disable automatic trading by default, require explicit user confirmation before every order, enforce conservative risk limits, and clearly separate scanner-only functionality from trade execution.
Hardcoded trading credentials create unclear account ownership and privilege boundaries, and they normalize unsafe credential handling for a financial account integration.
Binance credentials are embedded in code and used for signed requests, while the registry declares no required credentials.
const API_KEY = 'Dq0vl5...'; const API_SECRET = '1kVF6...'; ... headers: { 'X-MBX-APIKEY': API_KEY }Remove hardcoded secrets, declare credential requirements, use a secret store or environment variables, and require least-privileged user-owned testnet/live keys with trading permissions clearly explained.
Running the script may modify the local environment and fetch code from npm outside the normal reviewed installation process.
The package contains a shell command that installs an npm dependency at runtime despite having no declared install spec.
execSync('npm install ws', { stdio: 'inherit' });Move dependency installation to a declared install step, pin dependencies with a lockfile, and avoid runtime package installation from skill code.
A user may install or invoke the skill believing it is read-only market analysis while the package also contains code capable of financial account mutation.
The primary documentation frames the skill as an analysis/scanner tool, but included code contains automatic trading behavior.
`apex-scan` | Escaneia todos os pares e retorna os melhores setups ... / "Este skill é uma ferramenta de análise."
Make the documentation match the shipped capabilities, prominently disclose any automation and order-placement paths, and require a scanner-only safe mode by default.