ClawHub

Phemex Cli

v2.0.0

Trade on Phemex (USDT-M futures, Coin-M futures, Spot) — place orders, manage positions, check balances, stream real-time market data, and query historical d...

0· 104·0 current·0 all-time
by@phemex
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
VirusTotalVirusTotal
Benign
View report →
OpenClawOpenClaw
Benign
medium confidence
Purpose & Capability
Name/description match the declared requirements: the skill needs the phemex-cli binary and PHEMEX_API_KEY/PHEMEX_API_SECRET, which are exactly what a Phemex trading CLI requires.
Instruction Scope
SKILL.md stays on-topic: it documents CLI commands, streaming, and credential loading from environment or ~/.phemexrc. It does not instruct the agent to read unrelated system files or exfiltrate data to unexpected endpoints. Note: it recommends persisting credentials in ~/.phemexrc, which is functionally reasonable but a sensitive action the user should handle carefully.
Install Mechanism
Install uses the npm package phemex-cli (creates the phemex-cli binary). This is an expected install route, but npm package installs can run arbitrary install scripts (postinstall) and will execute code on the host during install — verify package provenance (registry publisher, GitHub repo, package.json) before installing.
Credentials
Requested env vars are PHEMEX_API_KEY and PHEMEX_API_SECRET (primaryEnv = PHEMEX_API_KEY) — these are appropriate and sufficient for trading. No unrelated credentials are requested. The skill also mentions ~/.phemexrc as an alternate credential store (expected but sensitive).
Persistence & Privilege
always:false (normal). The skill can be invoked autonomously (platform default). That is expected, but because the skill can place real trades, allowing autonomous invocation without restrictions could result in unintended orders — consider limiting autonomous use or requiring explicit user confirmation for trade operations.
Assessment
This skill appears to be a straightforward wrapper around the phemex-cli tool, but you should take ordinary precautions before installing/using it: 1) Verify the npm package and GitHub repo (publisher, recent commits, issues) to reduce supply-chain risk—npm packages can run install scripts. 2) Prefer using environment variables over storing keys in plaintext files; if you do use ~/.phemexrc, set strict file permissions (chmod 600) and keep the file private. 3) Create API keys with minimal required permissions (e.g., read-only key for market queries; separate key with trading enabled only when you intend to place trades; do not enable withdrawals). 4) If you do not want the agent to place trades autonomously, disable autonomous invocation for this skill in your agent settings or require explicit confirmation for any trading command. 5) Before a global npm install, inspect the package.json and any postinstall scripts in the package source. These steps will reduce the main risks (credential exposure and malicious install-time scripts).

Like a lobster shell, security has layers — review code before you run it.

latestvk973yjwa5mxm4hz471bqby27bn839xae

License

MIT-0
Free to use, modify, and redistribute. No attribution required.
Termshttps://spdx.org/licenses/MIT-0.html

Runtime requirements

📈 Clawdis
Binsphemex-cli
EnvPHEMEX_API_KEY, PHEMEX_API_SECRET
Primary envPHEMEX_API_KEY

Install

Install Phemex CLI (node)
Bins: phemex-cli
npm i -g phemex-cli

Comments