Trading Tournament
WarnAudited by ClawScan on May 10, 2026.
Overview
This skill is transparent about being a trading bot, but it asks users to run unreviewed autonomous code with OKX trading credentials and possible live-money order execution.
Treat this as a high-risk financial automation skill. Do not connect it to a live OKX account unless you have reviewed the actual code, verified API scopes and safety limits, disabled withdrawals, tested on demo for an extended period, and have a clear way to stop the bot and watchdog.
Findings (4)
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
If connected to a live OKX account, the bot could open and close positions automatically and cause real financial losses.
The skill describes automated trading decisions and order execution. Because this can be used on OKX Live, the artifacts show high-impact financial actions without clear per-trade user approval or bounded API permissions.
Every 5 minutes: each agent analyzes candles, indicators, and decides to enter/exit ... OKX API ← real-time prices, order execution
Use demo mode only unless the implementation is independently reviewed; require explicit live-mode opt-in, strict API scopes, asset allowlists, loss limits, and a manual kill switch.
A user may grant the bot access to a trading account without clear registry-level warning about the credential and account authority involved.
The skill requires exchange credentials that can delegate trading authority. The registry metadata declares no required env vars or primary credential, so the credential requirement is under-disclosed outside the README text.
OKX account (Demo or Live) - API Key + Secret + Passphrase ... Create `.secrets/okx.env`: OKX_API_KEY=your_key
Declare the OKX credentials in metadata, document the minimum required API permissions, disable withdrawals, and advise users to use separate demo or limited-risk API keys.
Users would need to run unverified code that handles exchange credentials and places trades, which could be unsafe even if the skill text appears benign.
The supplied package is instruction-only and contains no reviewed implementation, but it tells users to run external JavaScript code for a financial trading system. The referenced folder name also does not match the OKX-focused skill, increasing provenance ambiguity.
Copy `bybit-trading/` folder to your workspace ... Run: `node competition_manager_okx.js`
Provide the actual code, lockfiles, and install spec for review; pin dependencies; clarify the source of the referenced folder; and avoid running unreviewed trading code with live credentials.
The trading bot may restart and continue operating unexpectedly, potentially continuing to place live trades when the user assumes it has stopped.
The skill recommends a persistent watchdog that restarts the autonomous trading process. This is user-directed, but in combination with live trading it can keep high-impact activity running after failures.
Add a Guardian cron or Windows Task that checks `competition_log_okx.txt` freshness every minute. If log hasn't updated in 6 minutes → kill and restart.
Only use a watchdog in demo mode or with strong controls; add a visible stop procedure, maximum runtime, emergency disable file, and alerts before any live restart.