ClawHub

BTC Analyzer

v1.0.0

Fetch live BTCUSDT 15m candles from Binance public API and analyze market direction UP/DOWN/SKIP using EMA20 and RSI14. Use when asked to analyze BTC price d...

0· 834·2 current·3 all-time
byIndra Riswana@newbienodes
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
VirusTotalVirusTotal
Benign
View report →
OpenClawOpenClaw
Suspicious
high confidence
Purpose & Capability
The declared capability (fetch BTCUSDT 15m candles from Binance public API and compute EMA20/RSI14) aligns with requiring python3 and making public REST calls to Binance. However the SKILL.md expects a local script at ~/.npm-global/lib/node_modules/openclaw/skills/btc-analyzer/analyze.py to perform the work, but the skill package contains no code or install spec to place that script there. That mismatch is unexplained.
!
Instruction Scope
The runtime instructions explicitly tell the agent to run a local Python script at a hardcoded path and parse its JSON output. The skill text only references Binance public API (which is fine), but because the script is not included, the agent would either fail or attempt to execute whatever file exists at that path on the host — which could be any arbitrary code. The instructions do not provide safe fallback behavior or a way to obtain/inspect the script prior to execution.
!
Install Mechanism
There is no install spec or bundled code, yet the instructions assume the analyzer script lives under ~/.npm-global/lib/node_modules/… suggesting an npm/global install that never occurs in this package. This gap is a red flag: running an assumed-but-unprovided local binary/script is incoherent and could lead to execution of unknown code if a file exists at that location.
Credentials
The skill requests no environment variables or secrets and only requires python3. It makes network calls to Binance public API (no API key required), which is proportional to the stated purpose. There are no additional, unexplained credential or config demands.
Persistence & Privilege
The skill does not request always: true and makes no claims about modifying other skills or system-wide settings. It is user-invocable and allowed to be called autonomously by default, which is normal for skills; that alone is not concerning here.
What to consider before installing
Do not enable or run this skill until you can verify the analyze.py it intends to execute. The SKILL.md tells the agent to run a local Python script at a hardcoded path, but the package contains no code or install instructions — that means the agent would run whatever is present at that path on your machine. Ask the skill owner for the source repository or an install script, or request that the skill bundle its analyze.py (or provide a trustworthy install step). If you must test it, inspect the file ~/.npm-global/lib/node_modules/openclaw/skills/btc-analyzer/analyze.py manually before allowing the skill to execute it, and review it for network calls, shell execution, or secret access. If you cannot inspect the file or obtain a trusted source, avoid installing this skill.

Like a lobster shell, security has layers — review code before you run it.

binancevk972m10w2r660jh28qxb9d8xp181nzt7bitcoinvk972m10w2r660jh28qxb9d8xp181nzt7cryptovk972m10w2r660jh28qxb9d8xp181nzt7latestvk972m10w2r660jh28qxb9d8xp181nzt7signalvk972m10w2r660jh28qxb9d8xp181nzt7tradingvk972m10w2r660jh28qxb9d8xp181nzt7

License

MIT-0
Free to use, modify, and redistribute. No attribution required.
Termshttps://spdx.org/licenses/MIT-0.html

Runtime requirements

📊 Clawdis
Binspython3

Comments