Skillv1.0.0

ClawScan security

Openclaw Trading Suite · ClawHub's context-aware review of the artifact, metadata, and declared behavior.

Scanner verdict

SuspiciousMar 5, 2026, 6:07 PM

Verdict: suspicious
Confidence: medium
Model: gpt-5-mini
Summary: The skill claims end-to-end live/paper trading capabilities but the package metadata does not declare the broker/API credentials or environment requirements and includes code that can discover adapters and persist/execute orders — the omission of required secrets and the local-skill discovery behavior are incoherent and warrant caution.
Guidance: Before installing or enabling this skill, consider the following: 1) Do not enable live trading until you have audited adapter implementations that will perform order submission (search for adapters that call broker APIs) and verified where API keys must be provided. 2) Require explicit, per-hypothesis live approvals and keep the default paper-only mode; test extensively in paper mode. 3) Inspect secrets handling (references/secrets_management.md and src/openclaw_trading_suite/security/secrets.py) to see exactly which environment variables, SecretRef names, or file paths the code reads — add those names to the registry or deny runtime access until confirmed. 4) Review SkillDiscoveryService / AdapterRouter code: if you want to prevent the skill from scanning other local skills or files, restrict its file-system permissions or ask the author to remove/limit discovery. 5) Run the test suite locally and audit network endpoints the code contacts (look for hostnames/IPs in adapter implementations). 6) If you plan to allow autonomous invocation, limit the agent's scope (e.g., prevent live-mode adapter credentials from being present in the same environment, require manual approval for any live switching). 7) If you cannot audit the code or confirm credential usage, consider treating this skill as research-only and avoid supplying real broker credentials.

Review Dimensions

Purpose & Capability: concernThe skill advertises full lifecycle trading (research → execution → live graduation) and references real brokers (Alpaca, Binance, Kalshi) in the plans, yet the registry lists no required environment variables, no primary credential, and no required config paths. A trading orchestration skill that can place live orders would legitimately require broker API keys, exchange credentials, or SecretRefs; their absence in the declared requirements is an incoherence that could be benign (the author left them out to be adapter-specific) but is unexpected and increases risk.
Instruction Scope: noteSKILL.md instructs the agent to ingest market/news data, run screeners, gate and execute orders, and 'log every step to persistent storage'. References and adapter contract docs instruct the use of a SkillDiscoveryService and AdapterRouter which explicitly scan local skill roots for SKILL.md capabilities — this gives the skill discretion to read local skill files and register adapter routes. Reading local skill roots can be plausible for adapter discovery but is broader scope than a simple 'trading helper' and could expose other local skill metadata; the instructions otherwise stay within trading purpose (paper-first by default, per-hypothesis approval for first live deployment).
Install Mechanism: okNo install spec is provided (instruction-only), and all code files are included in the repo. There is no remote download or external install command in the manifest, which reduces third-party install risk. However, the skill contains substantial Python modules (adapters, sqlite store, secrets handling), so runtime execution will depend on the agent environment's Python runtime and network access.
Credentials: concernThe manifest declares no required env vars or primary credential even though the plans and docs explicitly reference Alpaca, Binance, Kalshi, and SecretRef handling. Trading and execution adapters normally require API keys and secrets; omitting them from requires.env is disproportionate. It is unclear whether the skill expects credentials to be supplied ad-hoc or via OpenClaw SecretRefs, but the registry should list at least the types of secrets the skill will access. Also, the repo contains a security/secrets.py module and references secrets_management.md, indicating credential handling logic — without explicit declared envs, users cannot easily audit what secret names the code will read at runtime.
Persistence & Privilege: noteThe skill writes to persistent stores by design (SQLite-backed retention, model runs, orders, fills). That is coherent for a trading suite. The skill is not marked always:true. However, two points warrant attention: (1) the skill includes SkillDiscoveryService logic which scans local skill roots — this allows reading other local SKILL.md files and could reveal other skills' capabilities/config; (2) the agent-default autonomous invocation is permitted (disable-model-invocation: false). Autonomous invocation combined with persistence and potential adapter execution is expected for such a skill but raises operational risk if you enable live mode without strict guardrails.