ClawHub
Skill flagged — suspicious patterns detected

ClawHub Security flagged this skill as suspicious. Review the scan results before using.

Tradebot Ops

v1.0.0

Monitor trading bot health by detecting stalls, verifying LIVE status and data freshness, restarting safely if needed, and summarizing status clearly.

0· 393·1 current·1 all-time
by@motivationationdaily

Install

OpenClaw Prompt Flow

Install with OpenClaw

Best for remote or guided setup. Copy the exact prompt, then paste it into OpenClaw for motivationationdaily/tradebot-ops.

Previewing Install & Setup.
Prompt PreviewInstall & Setup
Install the skill "Tradebot Ops" (motivationationdaily/tradebot-ops) from ClawHub.
Skill page: https://clawhub.ai/motivationationdaily/tradebot-ops
Keep the work scoped to this skill only.
After install, inspect the skill metadata and help me finish setup.
Use only the metadata you can verify from ClawHub; do not invent missing requirements.
Ask before making any broader environment changes.

Command Line

CLI Commands

Use the direct CLI path if you want to install manually and keep every step visible.

OpenClaw CLI

Canonical install target

openclaw skills install motivationationdaily/tradebot-ops

ClawHub CLI

Package manager switcher

npx clawhub@latest install tradebot-ops
Security Scan
VirusTotalVirusTotal
Suspicious
View report →
OpenClawOpenClaw
Suspicious
medium confidence
Purpose & Capability
Name/description align with the SKILL.md checklist (detect stalls, verify LIVE, restart). However the skill declares no required binaries, env vars, or config paths while instructing the agent to read local files and stop/restart bot PIDs — actions that normally require filesystem and process-control privileges. The missing declaration of these needs is an inconsistency (under-specification) rather than outright maliciousness.
!
Instruction Scope
SKILL.md explicitly instructs reading specific files (dist/out/live_*.json/csv) and contacting UI endpoints (/api/trading/*), and to stop/restart the bot process. It is vague about how to authenticate to the API, where audit logs are written, and which commands are permitted for stopping/starting the bot. The open-ended 'stop bot PID → apply+restart' and lack of bounds (who may be restarted, required checks, rollback behavior) grants broad discretion and risk if misused.
Install Mechanism
Instruction-only skill with no install spec and no code files. This is the lowest installation risk — nothing is downloaded or written by an installer.
Credentials
The skill requires access to specific local files and process control but declares no env vars or primary credential. If its API endpoints require authentication or if restarting the bot requires elevated privileges, credentials or config paths should be declared. The absence of declared credentials is an under-specification that could hide required sensitive access.
Persistence & Privilege
always:false and no persistence/install behavior are present. Autonomous invocation is allowed (platform default) but not combined here with other elevation flags. The main concern is that an autonomously-invoked agent with filesystem/process privileges could perform impactful actions — this is a procedural risk, not a declared privilege from the skill metadata.
What to consider before installing
This skill looks like it was written to operate a real trading bot, but it leaves out key operational details. Before installing, confirm: (1) where the audit logs go and who can read them; (2) whether the agent runtime will have permission to read dist/out/* and to kill/start processes (these are privileged actions); (3) whether the /api/trading endpoints require authentication and, if so, what credentials will be used (the skill declares none); (4) add explicit safety checks and a human-confirm step before automated restarts in production to avoid accidental trading disruption. If you intend to use it, test in a safe staging environment with minimal privileges and explicit, auditable controls for restart actions.

Like a lobster shell, security has layers — review code before you run it.

latestvk974fwvvqz605dd5fmc6k23k3d82021c
393downloads
0stars
1versions
Updated 21h ago
v1.0.0
MIT-0
@motivationationdaily
latest
Download

tradebot-ops

Purpose

Operate and monitor the trading bot safely: detect stalls, verify LIVE/halting state, validate data freshness, restart cleanly, and produce human-readable health summaries.

Use when

  • Bot shows LIVE but no updates (stale heartbeat/bars)
  • Chart frozen / signals file not updating
  • Need to answer: “Is it running? Is it safe? Why no trades?”

Inputs

  • dist/out/live_heartbeat_*.json
  • dist/out/live_signals_*.csv
  • dist/out/live_trades_*.csv (if present)
  • UI endpoints: /api/trading/*

Outputs

  • One-paragraph health summary
  • If unhealthy: one action (restart/clear stale) + verification
  • Audit log entry

Safety rails

  • Never raise risk_pct automatically.
  • Prefer restart/self-heal over loosening risk.

Checklist

  1. Confirm UI server reachable /api/status.
  2. Read heartbeat: mode/status/halted/in_position/last_bar_ts.
  3. Freshness: _hb_age_s, _bar_age_s.
  4. Confirm signals file mtime is recent.
  5. If stale: stop bot PID (runtime or heartbeat pid) → apply+restart.
  6. Re-check last_bar_ts advances.

Comments

Loading comments...