Skill flagged — suspicious patterns detected
ClawHub Security flagged this skill as suspicious. Review the scan results before using.
trading212 Skill
v1.0.0Analyzes Trading212 portfolio, generates daily summaries with P&L and top gainers/losers, makes trade proposals based on configurable rules, and can place or...
⭐ 0· 675·1 current·1 all-time
byNaoufal Andichi@nandichi
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
OpenClaw
Benign
high confidencePurpose & Capability
Name/description match code and required items. The skill requires Trading212 API key/secret and Python, implements portfolio summary, proposal generation, and order placement via the Trading212 REST API (demo/live endpoints). Required env vars and declared binaries are proportionate to the stated functionality.
Instruction Scope
SKILL.md and scripts instruct running pip install -r requirements.txt and running the provided Python scripts. The skill loads a .env file (if present) before initializing, reads config/*.yaml files, and writes snapshots to a snapshots/ directory. SKILL.md emphasises explicit user confirmation before executing trades, but the code provides an execute_trade mode that will place orders when invoked with parameters — therefore the agent or user must follow the confirmation guidance to avoid unintended live orders.
Install Mechanism
No install spec provided; the skill includes a requirements.txt (requests, python-dotenv, pyyaml) and asks the user to run pip install -r requirements.txt. These are common packages from PyPI; there are no downloads from untrusted URLs or archive extraction steps in the bundle.
Credentials
Only mandated secrets are TRADING212_API_KEY and TRADING212_API_SECRET (primary credential declared). Optional env vars (TRADING212_DEMO, TRADING212_SNAPSHOT_DIR, TRADING212_RULES_PATH) are reasonable. One caveat: the code automatically loads a .env file (if present) into the process environment (via python-dotenv). If a project .env contains unrelated secrets, those values will be accessible to the running code; while the code does not appear to read or transmit unrelated secrets, loading .env increases the surface area and should be considered before installation.
Persistence & Privilege
The skill writes daily snapshot JSON files to a snapshots/ directory (created if missing) and uses in-memory caching. It does not request always:true and does not modify other skills. Because it can place live orders when TRADING212_DEMO=false, granting it API credentials plus allowing autonomous invocation increases risk — the SKILL.md warns to require explicit confirmation and to keep demo=true by default.
Assessment
This skill appears to do what it says: portfolio analysis, trade proposals, and order placement via Trading212. Before installing: 1) Keep TRADING212_DEMO=true (paper trading) until you have tested and reviewed behavior; only set TRADING212_DEMO=false when you intentionally want live trades. 2) Review and control the .env file in the project root — it will be loaded into the process and may contain other secrets. 3) Provide only the Trading212 API key/secret to this skill; do not reuse highly privileged credentials. 4) Inspect the config/ files (rules.yaml, watchlist.yaml, allocation.yaml) to understand automated proposal rules. 5) Install Python dependencies from a trusted environment (pip install -r requirements.txt) and review the code if you plan to grant the skill the ability to place live orders or permit autonomous agent invocation.Like a lobster shell, security has layers — review code before you run it.
investvk972n3mx8915y1h7bfvg6ab4k1816ahflatestvk972n3mx8915y1h7bfvg6ab4k1816ahfportfoliovk972n3mx8915y1h7bfvg6ab4k1816ahfstocksvk972n3mx8915y1h7bfvg6ab4k1816ahftradingvk972n3mx8915y1h7bfvg6ab4k1816ahftrading212vk972n3mx8915y1h7bfvg6ab4k1816ahf
License
MIT-0
Free to use, modify, and redistribute. No attribution required.
Runtime requirements
Binspython3
EnvTRADING212_API_KEY, TRADING212_API_SECRET
Primary envTRADING212_API_KEY