Openclaw
WarnAudited by ClawScan on May 16, 2026.
Overview
This skill is transparent about connecting to DRADIS, but it can change live trading settings and send an API key, so it needs careful review before use.
Only install this if you intentionally want an agent to monitor and potentially modify a DRADIS trading engine. Use a trusted local or private DRADIS_API_URL, a dedicated least-privilege API key, and require manual confirmation plus rollback planning before any configuration patch.
Publisher note
Ability to PATCH live strategy parameters Forwarding of a sensitive DRADIS_API_KEY These are intentional and documented. The skill never applies config changes without explicit human confirmation. I strongly recommend using a dedicated, least-privilege API key and only running this skill against your own trusted DRADIS instance.
Findings (2)
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
A mistaken or overbroad configuration change could immediately affect automated trading behavior and potentially cause financial loss.
The skill exposes a live configuration mutation path for a real-money trading engine. Although it tells the agent to get explicit confirmation, the artifact does not define technical limits such as allowed fields, value ranges, rollback behavior, or containment for bad updates.
**This skill controls a live trading system with real money at risk.** ... `patch_dynamic_config` changes live strategy parameters without restarting the engine.
Use this only with explicit human approval for every write, review the exact diff before applying it, prefer a staging DRADIS instance first, and add strict server-side limits or a least-privilege key that cannot make unrestricted configuration changes.
If the key is over-privileged or the API URL points to an untrusted endpoint, someone could gain access to trading status or control functions.
The skill will use a sensitive API key for DRADIS requests. This is expected for the integration, but it means the configured endpoint and key scope are important security boundaries.
Set `DRADIS_API_KEY` in your OpenClaw configuration. The skill automatically adds the header to every request.
Use a dedicated, least-privilege DRADIS_API_KEY, point DRADIS_API_URL only at your trusted DRADIS instance, and rotate the key if it may have been exposed.