ClawHub
Skill flagged — suspicious patterns detected

ClawHub Security flagged this skill as suspicious. Review the scan results before using.

pionex-portfolio

v1.0.0

Use when the user asks for Pionex account balance, available funds, or “how much USDT do I have”. Read-only; requires API credentials. Do NOT use for market...

0· 65·0 current·0 all-time
by@pibrandon

Install

OpenClaw Prompt Flow

Install with OpenClaw

Best for remote or guided setup. Copy the exact prompt, then paste it into OpenClaw for pibrandon/pionex-portfolio.

Previewing Install & Setup.
Prompt PreviewInstall & Setup
Install the skill "pionex-portfolio" (pibrandon/pionex-portfolio) from ClawHub.
Skill page: https://clawhub.ai/pibrandon/pionex-portfolio
Keep the work scoped to this skill only.
After install, inspect the skill metadata and help me finish setup.
Use only the metadata you can verify from ClawHub; do not invent missing requirements.
Ask before making any broader environment changes.

Command Line

CLI Commands

Use the direct CLI path if you want to install manually and keep every step visible.

OpenClaw CLI

Bare skill slug

openclaw skills install pionex-portfolio

ClawHub CLI

Package manager switcher

npx clawhub@latest install pionex-portfolio
Security Scan
VirusTotalVirusTotal
Benign
View report →
OpenClawOpenClaw
Suspicious
high confidence
!
Purpose & Capability
The skill's purpose (read-only Pionex account balances) is reasonable, but the registry metadata lists no required credentials or binaries while SKILL.md explicitly requires installing an npm package and states it requires API credentials. The declared runtime bins and credential needs in SKILL.md are not reflected in the skill's top-level requirements, which is incoherent.
!
Instruction Scope
SKILL.md instructs the agent to install @pionex/pionex-ai-kit and run 'pionex-trade-cli account balance' and to run 'pionex-ai-kit onboard' to provide API credentials. The instructions do not describe how credentials are provided/stored or what permissions are required. 'onboard' could be interactive or write secrets to disk/network, which the registry metadata does not disclose.
!
Install Mechanism
There is no install spec in the registry, but SKILL.md contains an install block that installs a public npm package (@pionex/pionex-ai-kit) and adds global bins. Installing a third-party npm package (global) is a moderate risk because arbitrary code will be executed on install/runtime; the registry should have declared this and justified it.
!
Credentials
The skill states it requires API credentials but the registry lists no required env vars or primary credential. This omission prevents an informed review of the exact secret types needed. The skill should declare the exact credentials (e.g., PIONEX_API_KEY, PIONEX_API_SECRET) and recommend least-privilege (read-only) tokens.
Persistence & Privilege
always:false (good). However, SKILL.md suggests performing a global npm install, which writes binaries to disk and may persist configs/credentials via the 'onboard' flow. Autonomous invocation combined with undisclosed credential access increases potential blast radius, so clarify install and storage behavior.
What to consider before installing
This skill claims to be read-only but the package and credential requirements appear only inside SKILL.md and are not declared in the registry — that's a red flag. Before installing or enabling it, ask the publisher to: 1) explicitly list required credentials (names and recommended least-privilege scopes) and where/how they are stored; 2) provide the source (npm page and upstream repo) for @pionex/pionex-ai-kit so you can audit it; 3) explain what 'pionex-ai-kit onboard' does (interactive, network endpoints, files written, config paths). If you proceed, prefer supplying a read-only API key limited to balance queries, run the CLI install in a sandbox or container rather than system-wide, and review the npm package code (or install from a verified publisher) to ensure no unexpected network calls or secret exfiltration occur.

Like a lobster shell, security has layers — review code before you run it.

latestvk971690t38zp1kgzqeve3r18wx84zfzz
65downloads
0stars
1versions
Updated 1w ago
v1.0.0
MIT-0
@pibrandon
latest
Download

Pionex Portfolio (Account) Skill

Query spot account balances on Pionex. Requires API credentials (pionex-ai-kit onboard).

When to use

  • User asks: balance, available USDT/other currency, “how much can I spend”, account overview.

Command

CommandTypeDescription
pionex-trade-cli account balanceREADAll spot balances. Output is JSON; filter by currency (e.g. USDT) as needed.

Prerequisites

npm install -g @pionex/pionex-ai-kit
pionex-ai-kit onboard

Skill routing

  • Balance / account → pionex-portfolio (this skill)
  • Market data → pionex-market
  • Orders (place/cancel) → pionex-trade
  • Futures grid bot lifecycle → pionex-bot

Example

  • User: “How much USDT do I have on Pionex?”
  • Agent: run pionex-trade-cli account balance, then from the JSON report the available (and total if present) balance for USDT.

Comments

Loading comments...