ClawHub
Skill flagged — suspicious patterns detected

ClawHub Security flagged this skill as suspicious. Review the scan results before using.

Trade Executor

v0.1.0

Execute cryptocurrency trades on exchanges (Binance, OKX) with risk controls, user confirmation, and audit logging.

0· 306·3 current·3 all-time
byParker@patches429
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
VirusTotalVirusTotal
Benign
View report →
OpenClawOpenClaw
Suspicious
medium confidence
!
Purpose & Capability
The skill advertises support for Binance and OKX. The metadata/requirements only declare BINANCE_API_KEY and BINANCE_API_SECRET as required env vars (primaryEnv = BINANCE_API_KEY). However impl/okx.md describes OKX-specific credentials (OKX_API_KEY, OKX_API_SECRET, OKX_PASSPHRASE). This mismatch means the skill's declared needs do not fully match its claimed capabilities.
!
Instruction Scope
SKILL.md and impl files instruct calling official exchange APIs (api.binance.com, api.okx.com), performing HMAC signing, and requiring user confirmation and risk checks — these are appropriate. However the instructions reference openclaw.json allowedPairs and a gateway that tracks daily counts/losses across sessions without declaring access to those config or state paths. Also impl/okx.md references environment variables not listed in the skill metadata, which indicates the runtime agent may access env vars beyond those declared.
Install Mechanism
This is an instruction-only skill with no install spec and no code files to write to disk, which minimizes install-time risk.
!
Credentials
Requiring Binance API key/secret is proportionate for Binance trading. But because the skill also documents OKX integration that requires additional secrets, the environment requirements are incomplete/ambiguous. The skill may expect or attempt to read OKX credentials at runtime even though they aren't declared. The skill requests API keys (sensitive) and therefore the exact set of credentials should be clearly documented and limited to trade-only keys; that clarity is absent.
Persistence & Privilege
always:false and no install behavior modifying other skills or system-wide config. The skill states it will not write files and relies on a gateway for audit logging, which is consistent with being instruction-only.
What to consider before installing
Do not install or grant API keys until the owner clarifies the credential requirements and behavior. Specific actions to consider before proceeding: - Ask the publisher to update metadata to list OKX env vars (OKX_API_KEY, OKX_API_SECRET, OKX_PASSPHRASE) if OKX support is intended, or remove OKX docs if not. - Only provide exchange API keys with minimal permissions (enable trading, disable withdrawals), and ideally restrict by IP or use testnet keys first. - Confirm who/what provides the gateway that enforces cross-session limits and audit logging (openclaw.json and gateway behavior), and verify those controls exist in your environment. - Verify the skill cannot bypass the explicit user confirmation step on your platform (test with a dry-run or very small orders in a sandbox environment). - If you need higher assurance, request the skill source (code or full implementation) for review or prefer a well-audited plugin from a known publisher. If you rely on OKX functionality and the skill's metadata is not corrected, treat the skill as incomplete/untrusted because it may attempt to access undeclared secrets at runtime.

Like a lobster shell, security has layers — review code before you run it.

latestvk97exwaz223pexq1t6b991257582kwbz

License

MIT-0
Free to use, modify, and redistribute. No attribution required.
Termshttps://spdx.org/licenses/MIT-0.html

Runtime requirements

💹 Clawdis
EnvBINANCE_API_KEY, BINANCE_API_SECRET
Primary envBINANCE_API_KEY

Comments