TBOT Controller
WarnAudited by ClawScan on May 10, 2026.
Overview
This appears to be a real TBOT controller, but it can send trading webhook commands and use local webhook secrets, while the docs disagree about whether JSON mode makes network calls.
Review this carefully before installing for any live trading setup. Treat JSON mode as potentially sending a real trading signal, verify paper vs. live mode, confirm the webhook URL and key source, and only allow `--run-it`/`RUN_IT=1` when you truly want the action performed.
Findings (5)
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
Invoking JSON mode could send an order-like signal to TBOT instead of merely creating a payload for review.
The JSON mode is not just local file generation; it can POST trading instructions to a webhook. For a trading bot, that can create or close positions, so the send path needs an unambiguous confirmation boundary.
Behavior: - This command ALWAYS sends the generated, schema-validated JSON payload to TBOT. - Webhook endpoint is taken from (in order): --url, TBOT_WEBHOOK_URL, or defaults to http://127.0.0.1:5001/webhook.
Separate generate-only and send modes, make generate-only the default, and enforce `--run-it` or `RUN_IT=1` for every webhook send.
A user may believe the command is safe offline payload generation when it may actually contact the trading webhook.
This user-facing claim conflicts with the included sender implementation, which documents and implements webhook POST behavior. Users may underestimate the impact of using JSON mode.
## Webhook JSON Generator Builds a schema-valid TradingView-style payload (no network calls).
Correct the README and examples so they clearly state when a network send occurs and when explicit confirmation is required.
The agent may use an existing local TBOT webhook secret to authorize trade-signal delivery.
The skill can read and use local webhook credentials for the trading runtime. That is purpose-aligned, but sensitive and not reflected by the registry’s 'Primary credential: none' declaration.
Webhook key is taken from (in order): --key, WEBHOOK_KEY env var, or the runtime .env file (auto-discovered).
Declare webhook credential use in metadata/docs, prefer explicit user-provided keys or clearly bounded env vars, and confirm the target URL before sending.
Portfolio/order information may appear in chat or logs when status or DB commands are run.
The skill retrieves persistent trading database records, including orders, alerts, and portfolio data, into the agent session. This is expected for the purpose but can expose sensitive financial context.
bash scripts/tbot.sh status db --table orders --format summary --limit 100 bash scripts/tbot.sh status db --table alerts --format summary --limit 100 bash scripts/tbot.sh status portfolio --format summary
Use summary output and small limits by default; avoid raw JSON unless needed and do not share outputs publicly.
A future dependency version could change behavior compared with the reviewed version.
The entrypoint runs Python through uv and installs dependencies from the requirements file at invocation time; scripts/requirements.txt uses a version range for jsonschema. This is common but not fully pinned.
PYTHON_EXEC=(uv run --no-project --with-requirements "$REQ_FILE" python3)
Pin dependencies with hashes or a lockfile if this will be used for financial automation.