ClawHub
Skill flagged — suspicious patterns detected

ClawHub Security flagged this skill as suspicious. Review the scan results before using.

Trade Memory

v1.0.0

Save a trade or signal event to local memory log file (trades.jsonl). Use when a trade signal is confirmed and needs to be recorded, saved, or logged for fut...

0· 516·0 current·0 all-time
byIndra Riswana@newbienodes
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
VirusTotalVirusTotal
Suspicious
View report →
OpenClawOpenClaw
Suspicious
medium confidence
!
Purpose & Capability
The goal (persist trade events) reasonably needs a local script and python3, but the SKILL.md assumes a specific script exists at ~/.npm-global/lib/node_modules/openclaw/skills/trade-memory/save.py and writes to /home/windows_11/.openclaw/... — the skill bundle contains no code nor install instructions to create that script or ensure the file path exists, which is inconsistent.
!
Instruction Scope
Runtime instructions explicitly tell the agent to execute a local Python script with user-supplied JSON and to 'always run the script — never simulate.' They reference specific filesystem paths and create/write behavior. Because the script is not included, following the instructions could cause the agent to execute an unexpected local binary or fail; the directive to always execute increases risk if a malicious or replaced script exists at that path.
!
Install Mechanism
There is no install spec or code files. Yet the instructions rely on a script stored under an npm-global path. This is a packaging/integration mismatch: either the skill should include the save.py or provide an install step. The lack of an authoritative source for the script means the agent will rely on whatever is already on the host, which is unsafe/unreliable.
Credentials
The skill requests only python3 and no credentials, which is proportional to logging trades. However, it hardcodes user-specific filesystem locations (~ and /home/windows_11) without declaring config paths; this may lead to accidental access of unrelated files or failure on different hosts.
Persistence & Privilege
The skill does not request persistent/always-enabled privileges and is user-invocable. Still, because it instructs execution of a local script and creation/appending of files, verify the script's provenance before allowing the agent to run it autonomously.
What to consider before installing
Do not install or run this skill until you verify where save.py comes from. The SKILL.md expects a local Python file at ~/.npm-global/lib/node_modules/openclaw/skills/trade-memory/save.py and will append to /home/windows_11/.openclaw/polymarket-workspace/trades.jsonl, but the skill package provides no code or installer. Actions to take before use: - Inspect the actual save.py that would be executed (open its source) and confirm its contents and origin. - If you maintain the file, prefer packaging the script with the skill or provide an explicit install step rather than relying on an arbitrary npm-global path. - If you don't control the host path, refuse installation or run in a sandbox until provenance is confirmed. - Consider modifying the skill to write to a configurable, documented path and to include the script inline in the skill bundle so behavior is auditable. - Treat the 'always run the script — never simulate' instruction as an extra risk: ensure the script is safe before permitting autonomous execution.

Like a lobster shell, security has layers — review code before you run it.

Trade Memoryvk971rg3m0w0k9ahew1w0h064jh81mvhxlatestvk971rg3m0w0k9ahew1w0h064jh81mvhx

License

MIT-0
Free to use, modify, and redistribute. No attribution required.
Termshttps://spdx.org/licenses/MIT-0.html

Runtime requirements

🧠 Clawdis
Binspython3

Comments