ClawHub
Skill flagged — suspicious patterns detected

ClawHub Security flagged this skill as suspicious. Review the scan results before using.

Crypto Signals Automation

v1.0.0

Build and operate a crypto signal trading automation using RapidAPI cryptexAI Buy & Sell Signals as signal source and dYdX v4 for execution. Use when setting...

0· 243·0 current·0 all-time
byRickySmolders@mdann1992
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
VirusTotalVirusTotal
Benign
View report →
OpenClawOpenClaw
Suspicious
high confidence
!
Purpose & Capability
The description and SKILL.md promise a complete pipeline (signal ingestion, dYdX v4 order execution, TP/SL, retries, Telegram notifications). The included code, however, only implements RapidAPI fetch and writes an .env template; there is no dYdX client, no execution logic, and no Telegram notifier. Additionally, the registry metadata declares no required env vars or primary credential despite the skill explicitly requiring RapidAPI keys and dYdX secrets — this mismatch indicates the package is incomplete or misleading.
!
Instruction Scope
Runtime instructions ask the agent/operator to collect and handle highly sensitive secrets (RapidAPI key, dYdX wallet/mnemonic/API secrets, Telegram bot token) and to 'wire runtime script/cron' that will autonomously open/close orders. The instructions are open-ended about implementation details and grant broad discretion (e.g., scheduling, retries, cleanup) but the shipped code does not implement these behaviors. This gap increases the risk that users will paste secrets into chat or install/adapt third-party code of unknown provenance.
Install Mechanism
There is no install spec (instruction-only + two small helper scripts). No external downloads or installers are used. The only file-writing behavior is the bootstrap script which creates a local .env template; that itself is low-risk but should be noted since it touches the filesystem.
!
Credentials
The skill requires multiple high-privilege secrets (RAPIDAPI_KEY, DYDX_API_KEY/SECRET/PASSPHRASE, DYDX mnemonic path, Telegram bot token) according to SKILL.md and bootstrap template, but the skill manifest lists none. Requesting wallet mnemonic and exchange API credentials is reasonable for trading automation, but the lack of declared required env vars and the package's incomplete implementation means users may be asked to provide sensitive credentials without clear, auditable code that will use them — disproportionate and potentially hazardous.
Persistence & Privilege
The skill is not always-enabled and does not request system-wide persistence or modify other skills. It writes a local .env template if run, which is expected and scoped to the project directory.
What to consider before installing
This package is internally inconsistent: the README and templates expect RapidAPI and dYdX credentials (including a mnemonic) but the manifest claims no required env vars and the code does not implement dYdX/trading execution. Before installing or providing secrets: (1) do not paste real mnemonics or API secrets into chat; (2) review all code that will run the trading/execution logic — it is not included here; (3) require the author to provide or sign the dYdX execution code and update the manifest to declare required env vars; (4) test with throwaway/testnet accounts and minimal permissions only; (5) keep secrets in a secure vault and rotate them if exposed. If you cannot perform a code review, avoid supplying any real credentials or mnemonic material to this skill.

Like a lobster shell, security has layers — review code before you run it.

latestvk97dyqzjzh1hkk6hqjsk9k4ps182mn46

License

MIT-0
Free to use, modify, and redistribute. No attribution required.
Termshttps://spdx.org/licenses/MIT-0.html

Comments