ClawHub
Skill flagged — suspicious patterns detected

ClawHub Security flagged this skill as suspicious. Review the scan results before using.

Trading Tournament

v1.0.0

Run autonomous multi-agent trading competitions on OKX. 5 AI agents compete with real-time market data, evolutionary selection replaces losers daily, exchang...

1· 550·2 current·2 all-time
by@peti0402
Security Scan
VirusTotalVirusTotal
Suspicious
View report →
OpenClawOpenClaw
Suspicious
high confidence
!
Purpose & Capability
The skill's description is a trading tournament on OKX, which would legitimately need OKX API keys and a Node.js implementation. However, the registry metadata declares no required environment variables or code files, while the SKILL.md instructs creating .secrets/okx.env with OKX_API_KEY/SECRET/PASSPHRASE and copying a local folder 'bybit-trading/'. The 'bybit' folder name conflicts with the OKX target, which is an unexplained inconsistency. Expecting API credentials but declaring none in the registry is disproportionate and incoherent.
!
Instruction Scope
The runtime instructions tell the agent (or user) to copy a local folder, edit agents_config.json, create a .secrets/okx.env file with API credentials, and run `node competition_manager_okx.js`. Those files/scripts are not part of the packaged skill, so the instructions assume external code and secret storage. The SKILL.md also recommends a Guardian cron/Windows Task that kills/restarts processes and checks logs, which instructs actions that affect system services and secret files. These actions go beyond a simple informational skill and require access to local filesystem, process control, and sensitive credentials.
Install Mechanism
There is no install specification (instruction-only), which minimizes automatic installation risk. However, because the instructions rely on external Node.js scripts and a 'bybit-trading/' folder that are not provided, the skill in practice requires obtaining and running external code — the source and integrity of that code are unknown. The lack of an install mechanism combined with missing code is a red flag for manual code review before execution.
!
Credentials
The SKILL.md explicitly requires OKX_API_KEY, OKX_API_SECRET, and OKX_PASSPHRASE and instructs storing them in a .secrets file, but the registry declares no required env vars or primary credential. Requesting exchange API credentials is plausible for trading, but the undeclared nature plus instructions to persist secrets on disk (and to run restart scripts that may access them) is disproportionate without packaged code and provenance. The bybit/OKX naming mismatch further clouds whether those credentials are actually needed or being misdirected.
!
Persistence & Privilege
The skill does not set always:true, but it instructs installing a Guardian via cron/Windows Task to monitor and restart the competition manager, which creates ongoing background activity and process-control behavior on the host. That grants persistence and requires system privileges to manage processes/tasks; combined with secret storage and autonomous trading, this increases the potential impact if the code or operator is untrusted.
What to consider before installing
Do not supply real API keys or run unknown scripts without review. The SKILL.md asks you to create .secrets/okx.env with OKX credentials and to copy/run code that is NOT included in the package (it even references a 'bybit-trading/' folder while claiming OKX). This mismatch and the undeclared credentials are suspicious. If you consider using it: - Ask the publisher for the full source code and verify provenance before running anything. - Review all code for where it reads/writes .secrets/okx.env, where it sends network traffic, and any code that restarts processes or manipulates system tasks. - Use a demo OKX account with minimal permissions and no withdraw rights; rotate and limit keys (IP restrictions if available). - Run in an isolated environment (container or VM) and inspect logs and network traffic first. - Prefer immutable deployment (no automatic cron/Task installers) and avoid persisting secrets in plaintext on disk; use a secrets manager when possible. - Clarify the bybit/OKX inconsistency and confirm that the 'bybit-trading/' reference is not a copy-paste error that hides other mismatches. Given the missing files and undeclared sensitive requirements, treat this skill as untrusted until you can audit the code and confirm intent.

Like a lobster shell, security has layers — review code before you run it.

latestvk9719841zy6y9evwrn4vbrkcv581r6kv
550downloads
1stars
1versions
Updated 7h ago
v1.0.0
MIT-0
@peti0402
latest
Download

Trading Tournament 🏆

Run autonomous multi-agent trading competitions where AI strategies compete against each other with real market data.

What It Does

  • 5 agents compete simultaneously on OKX Demo (or Live)
  • Every 5 minutes: each agent analyzes candles, indicators, and decides to enter/exit
  • Daily evolution at 07:00: top 2 survive, bottom 2 get replaced by better strategies
  • Exchange-level stop-losses: positions are protected even if the bot crashes
  • 3-layer position sizing protection: unknown assets skipped, 50% equity cap, $500 hard max

Architecture

┌─────────────┐
│ Competition  │ ← runs every 5 minutes
│  Manager     │
└──────┬──────┘
       │
  ┌────┼────┬────┬────┐
  │    │    │    │    │
  v    v    v    v    v
Agent1 Agent2 Agent3 Agent4 Agent5
(S&D)  (RSI)  (S&D)  (RSI)  (RSI)
       │
       v
  ┌─────────┐
  │ OKX API │ ← real-time prices, order execution
  └─────────┘

Strategies Included

  1. Supply & Demand — Identifies accumulation/distribution zones, enters on retests
  2. RSI Mean Reversion — Overbought/oversold with EMA trend filter
  3. RSI Fast Confirm — 1-bar bounce confirmation with tight EMA alignment
  4. RSI Trend Filter — Long-period EMA filter with standard RSI levels

Safety Features

LayerProtectionWhat Happens
1CT_VALS lookupUnknown asset → SKIP (never enter blind)
250% equity capMax position = half of agent's capital
3$500 hard capAbsolute maximum notional per trade
4Exchange SLStop-loss on OKX itself (survives bot crash)
5GuardianWindows Task checks every minute, restarts if dead

Setup

Prerequisites

  • OKX account (Demo or Live)
  • API Key + Secret + Passphrase
  • Node.js 18+

Quick Start

  1. Copy bybit-trading/ folder to your workspace
  2. Create .secrets/okx.env:
OKX_API_KEY=your_key
OKX_API_SECRET=your_secret
OKX_PASSPHRASE=your_passphrase
  1. Edit agents_config.json with your preferred strategies and assets
  2. Run: node competition_manager_okx.js

Cron Setup (recommended)

Add a Guardian cron or Windows Task that checks competition_log_okx.txt freshness every minute. If log hasn't updated in 6 minutes → kill and restart.

Evolution Rules

Daily at 07:00:

  • 🥇 Rank 1 → Survives (strategy + assets)
  • 🥈 Rank 2 → Survives (strategy + assets)
  • 🥉 Rank 3 → Strategy stays, assets rotate to better performers
  • 4️⃣ Rank 4 → Fully replaced from best_strategies pool
  • 5️⃣ Rank 5 → Fully replaced from best_strategies pool

Criteria for new agents: PF > 1.5, DD < 25%, min 5 backtested trades.

Live Trading Checklist

Before going live with real money:

  • 7 days continuous run without crashes
  • P&L > 15% on demo
  • 30+ trades for top 3 agents
  • Max drawdown < 10%
  • 0 sizing bugs
  • Exchange-level SL verified on all new positions

Built With

  • Node.js + OKX REST API
  • Technical indicators (EMA, RSI, ATR, Supply/Demand zones)
  • Evolutionary selection algorithm
  • Real-time Telegram alerts

Comments

Loading comments...