crypto-trader
v1.0.0Automated cryptocurrency trading skill for OpenClaw. Supports 8 trading strategies (Grid Trading, DCA, Trend Following, Scalping, Arbitrage, Swing Trading, C...
⭐ 7· 2k·16 current·16 all-time
byNaoufal Andichi@nandichi
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
Capability signals
These labels describe what authority the skill may exercise. They are separate from suspicious or malicious moderation verdicts.
OpenClaw
Suspicious
medium confidencePurpose & Capability
Name, description, and included code (strategy modules, exchange manager, backtester, monitor daemon, notifier) are consistent with an automated crypto trading skill. Required binary (python3) and the declared primary credential (BINANCE_API_KEY / BINANCE_API_SECRET) are appropriate for Binance connectivity. Multi-exchange support and sentiment analysis in the code align with the description.
Instruction Scope
SKILL.md instructs the agent to run many Python scripts that can check balances, start/stop strategies, and place orders. It also references many optional environment variables (Bybit/Kraken/Coinbase keys, TELEGRAM_BOT_TOKEN, DISCORD_WEBHOOK_URL, Twitter bearer token, CryptoPanic key, CRYPTO_DEMO) that are not listed as required in the registry metadata. The skill will send data to external endpoints (Telegram/Discord/Email) and persist state to files under the user's home (~/ .openclaw). Those actions are coherent with a trading tool, but the mismatch between declared vs referenced env vars means the agent may access credentials beyond what was advertised.
Install Mechanism
There is no formal install spec in the registry; SKILL.md tells the user to run `pip install -r {baseDir}/requirements.txt`. Requirements include heavy ML and networking packages (torch, transformers, tweepy, praw, python-telegram-bot, discord.py, aiohttp, websockets). Installing via pip from PyPI is common but can be large, may require system-specific build steps, and can alter the environment; the recipe is traceable but non-trivial.
Credentials
Registry metadata requires only BINANCE_API_KEY and BINANCE_API_SECRET (primaryEnv set). SKILL.md, config files, and code reference many additional environment variables (other exchanges' API keys, CRYPTO_DEMO, TELEGRAM_BOT_TOKEN, TELEGRAM_CHAT_ID, DISCORD_WEBHOOK_URL, CRYPTOPANIC_API_KEY, Twitter bearer token, email SMTP settings, etc.). Those optional credentials are plausible for the stated features, but they are not declared up front — the mismatch should be noted because the skill may use or request sensitive tokens beyond the two required vars.
Persistence & Privilege
always:false (good). The skill includes a monitor daemon that writes PID/state files under the user's home (~/.openclaw/.crypto-trader-monitor.json and .pid). The daemon can start/stop processes via os.kill (to manage its own PID file) and is designed to be run in background or via cron. Autonomous invocation is possible (default) and the SKILL.md even recommends cron entries; this increases blast radius if misconfigured but is consistent with a trading agent.
What to consider before installing
This package appears to be a genuine automated trading tool, but take precautions before enabling it:
- Start in paper/testnet mode (CRYPTO_DEMO=true) — do not set CRYPTO_DEMO=false until you've fully tested behavior.
- Use API keys with minimal permissions: create sandbox/testnet API keys and disable withdrawals on any real exchange keys. Prefer keys limited to trading and reading balances.
- The skill references additional tokens (Telegram, Discord, CryptoPanic, Twitter, other exchanges) but only Binance creds are declared as required; review and decide which optional tokens you will provide.
- The SKILL.md asks you to pip install many packages (including torch/transformers). Install in an isolated virtualenv or container to avoid polluting your system Python.
- The monitor daemon persists state and writes PID files under your home directory (~/.openclaw). Inspect those files and the code (monitor_daemon.py, notifier, exchange_manager) before running to confirm where data is stored and where notifications are sent.
- Review source files (especially exchange_manager, notifier, and scripts/main.py) to verify there are no unexpected network endpoints or hardcoded URLs. If you cannot audit, run the skill in an isolated sandbox VM or container with limited network access first.
- Consider running unit tests and backtests (these are included) and exercising the code with mock exchange objects before attaching real API keys.
- If you allow autonomous/crontab invocation, be explicit about what triggers live trading (e.g., ensure confirmations are enforced and that the agent will not start live strategies without explicit user approval).
If you want, I can: list exact lines where optional env vars are read, summarize notifier/exchange_manager behavior, or point out files to review first (exchange_manager.py, notifier.py, scripts/main.py, monitor_daemon.py).Like a lobster shell, security has layers — review code before you run it.
arbitragevk974zmmdeb5bbjhx6gksk8nf21818hrsbacktestingvk974zmmdeb5bbjhx6gksk8nf21818hrsbinancevk974zmmdeb5bbjhx6gksk8nf21818hrsbotvk974zmmdeb5bbjhx6gksk8nf21818hrscryptovk974zmmdeb5bbjhx6gksk8nf21818hrsdcavk974zmmdeb5bbjhx6gksk8nf21818hrslatestvk974zmmdeb5bbjhx6gksk8nf21818hrstradingvk974zmmdeb5bbjhx6gksk8nf21818hrs
License
MIT-0
Free to use, modify, and redistribute. No attribution required.
Runtime requirements
Binspython3
EnvBINANCE_API_KEY, BINANCE_API_SECRET
Primary envBINANCE_API_KEY