ClawHub
Skill flagged — suspicious patterns detected

ClawHub Security flagged this skill as suspicious. Review the scan results before using.

Trading Bot Risk-as-a-Service: Real-Time Portfolio Risk Monitoring for Multi-Exchange Operations

v1.0.0

Trading Bot Risk-as-a-Service: Real-Time Portfolio Risk Monitoring for Multi-Exchange Operations. Build a cross-exchange, cross-strategy real-time portfolio...

0· 17·0 current·0 all-time
by@mirni
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
Capability signals
CryptoRequires walletCan make purchases
These labels describe what authority the skill may exercise. They are separate from suspicious or malicious moderation verdicts.
VirusTotalVirusTotal
Benign
View report →
OpenClawOpenClaw
Suspicious
medium confidence
!
Purpose & Capability
The name/description promise a production-grade cross-exchange risk monitoring system (event bus, webhooks, SLA monitoring). As an instruction-only skill this is plausible, but the guide explicitly references third-party services (GreenHelix event bus) and multi-exchange aggregation which normally require API keys, webhook endpoints, and service credentials. The skill declares no required env vars, primary credential, or config paths — a mismatch between claimed capabilities and declared requirements.
!
Instruction Scope
The SKILL.md instructs building a system wired to webhooks and an event bus and to perform production deployment. Those runtime actions typically require network calls, service credentials, and configuration of webhook endpoints. Because the skill is instruction-only and can be invoked autonomously, it could prompt the agent or user to supply secrets or to configure endpoints that would send aggregated portfolio data off-box. The provided excerpt does not show explicit commands reading local system files, but the production/deployment chapters likely include steps that affect networking and external endpoints — this broad scope is not constrained by declared inputs.
Install Mechanism
No install spec and no code files — the skill is instruction-only. That minimizes on-disk code execution risk from the skill bundle itself.
!
Credentials
Zero required environment variables or credentials are declared, yet the guide's purpose (aggregating positions across exchanges, webhooks, event bus) normally requires exchange API keys and service tokens. The omission is a proportionality/information mismatch: either the guide expects the user/agent to provide secrets ad-hoc (risk: pasting keys into chat) or it glosses over necessary credentials. Both are risky for autonomous or unsupervised use.
Persistence & Privilege
Skill is not marked always:true and does not request system-wide configuration changes in the manifest. As instruction-only content it does not request persistent presence on the agent by itself.
What to consider before installing
This skill is a long how-to for building a cross-exchange risk-monitoring system and is instruction-only (no code installed). The red flag: it references external services (GreenHelix event bus, webhooks, multiple exchanges) but declares no required credentials. Before installing or invoking this skill, do not paste API keys or secrets into the chat. Instead: (1) Inspect the full SKILL.md locally to find any places it asks for API keys, webhook URLs, or to send data to third-party endpoints. (2) If you intend to follow the guide, configure exchange API keys and webhook endpoints outside the agent (in your own code or infrastructure), not by giving them to the skill/agent. (3) Verify who 'GreenHelix' is and whether any endpoints or example URLs in the document are legitimate. (4) Run any code snippets in an isolated/dev environment and review them for network calls that send portfolio data off-site. (5) If you expect the agent to act autonomously with credentials, require explicit review/approval steps and avoid granting long-lived keys. If you can share the full SKILL.md or specific sections that set up event bus/webhooks, I can point out exact lines that request secrets or external endpoints and refine this assessment.

Like a lobster shell, security has layers — review code before you run it.

ai-agentvk97ddgzxd2p4rg8tetbec3d0e984qsf5circuit-breakervk97ddgzxd2p4rg8tetbec3d0e984qsf5greenhelixvk97ddgzxd2p4rg8tetbec3d0e984qsf5guidevk97ddgzxd2p4rg8tetbec3d0e984qsf5latestvk97ddgzxd2p4rg8tetbec3d0e984qsf5monitoringvk97ddgzxd2p4rg8tetbec3d0e984qsf5openclawvk97ddgzxd2p4rg8tetbec3d0e984qsf5portfoliovk97ddgzxd2p4rg8tetbec3d0e984qsf5risk-managementvk97ddgzxd2p4rg8tetbec3d0e984qsf5trading-botvk97ddgzxd2p4rg8tetbec3d0e984qsf5

License

MIT-0
Free to use, modify, and redistribute. No attribution required.
Termshttps://spdx.org/licenses/MIT-0.html

Comments