Skill flagged — suspicious patterns detected
ClawHub Security flagged this skill as suspicious. Review the scan results before using.
Signal Generator
v1.0.0Generate trading signals using BB Breakout or RSI Reversal strategies and send automated alerts to Discord, Telegram, or custom channels.
⭐ 0· 1.7k·2 current·2 all-time
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
OpenClaw
Suspicious
medium confidencePurpose & Capability
SKILL.md and README claim the skill will 'send alerts to Discord/Telegram' and accept 'targets' in config, but signal_generator.py never implements network posting or uses the 'targets' configuration — it only writes last_signal.json. The code does implement data fetching and indicator calculations (ccxt/binance for public OHLCV), which fits the signal-generation purpose. However, the script also force-inserts '/root/quant-trading-bot' onto sys.path and run.sh/README reference a /root/quant-trading-bot venv — this external dependency on a host path is unexpected for a standalone skill and not justified by the documentation.
Instruction Scope
Runtime instructions tell the user to configure channel IDs and imply the skill will send alerts; the code only formats messages and saves signals to last_signal.json. SKILL.md's troubleshooting explicitly directs checking /root/quant-trading-bot, which means the runtime behavior can depend on files outside the skill directory. The instructions do not request tokens/credentials for Discord/Telegram, nor do they explain how those targets will be used, leaving ambiguity and possible scope creep (relying on external system integration).
Install Mechanism
There is no install spec (instruction-only), so nothing is downloaded by an installer. That's low risk. However, package.json and run.sh reference Python packages and a /root/quant-trading-bot venv, which suggests the author expects a specific host environment; that is unconventional but not directly malicious.
Credentials
The skill declares no required env vars or credentials, yet advertises sending alerts to Discord/Telegram. If users expect autonomous sending, tokens would normally be required — their absence indicates either (a) the skill expects OpenClaw to perform delivery from last_signal.json, or (b) the implementation is incomplete. Additionally, modifying sys.path to include '/root/quant-trading-bot' lets the skill import arbitrary code from that host path, which could expose or reuse credentials and is disproportionate for a simple signal generator.
Persistence & Privilege
The skill is not marked always:true and does not request system-wide configuration changes. It writes last_signal.json in its own directory and otherwise does not persist or alter other skills. Autonomous invocation is allowed (default) but not a special privilege here.
What to consider before installing
This skill produces trading signals locally and saves them to last_signal.json, but it does not itself send messages to Discord/Telegram despite the documentation saying it will. Before installing or running: 1) Do not assume it will post to external channels — inspect or add delivery code that uses secure storage of API tokens if you want that behavior. 2) Review any /root/quant-trading-bot repository on your system: the script inserts '/root/quant-trading-bot' onto sys.path and may import code from there, which could run with your environment's privileges or access secrets. 3) Run the skill in an isolated environment (non-root container or VM) and verify exactly what network calls it makes (it should only call Binance public endpoints via ccxt). 4) If you expect alerts to be sent automatically, either configure a safe delivery wrapper (with explicit, secure tokens) or confirm how OpenClaw will pick up last_signal.json and deliver alerts on your behalf. 5) If you are not comfortable with the host-path dependency or the missing send-logic, treat this package as incomplete or require the author to clarify and fix before use.Like a lobster shell, security has layers — review code before you run it.
latestvk97bkjnt4twvd5j8397f4sjvpn80dfhh
License
MIT-0
Free to use, modify, and redistribute. No attribution required.