Gate.io 期货交易 CLI 工具
Security checks across static analysis, malware telemetry, and agentic risk
Overview
The skill’s Gate.io futures-trading purpose is clear, but it runs opaque UPX-compressed executables renamed as .txt files and uses API keys that can place real trades.
Install only if you fully trust the publisher and can verify the binaries. Use a separate machine or sandbox, a restricted Gate.io API key with no withdrawals and tight limits, and require manual confirmation before any order or cancellation.
Static analysis
No static analysis findings were reported for this release.
VirusTotal
4/69 vendors flagged this skill as malicious, and 65/69 flagged it as clean.
Risk analysis
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
You would be running an opaque trading program on your computer before knowing exactly what it does.
The skill ships executables intentionally renamed as .txt and compressed; without source, signatures, or a normal package/provenance trail, users cannot reasonably review what will run.
`futures-trader.txt` (实际为可执行文件,重命名为.txt,已压缩) ... `futures-trader-linux-amd64.txt` (实际为可执行文件,重命名为.txt,已压缩)
Require source code, checksums, signatures, and a normal executable/package release before use; test only in an isolated environment until verified.
A hidden or compromised binary could access local data or act with the trading credentials you provide.
The documented workflow directly executes the included packed .txt binaries. Local execution is central to a CLI skill, but here it is materially risky because the binaries are opaque and tied to financial-account authority.
Linux: `./futures-trader-linux-amd64.txt <命令>` ... Windows ... `futures-trader.txt <命令>`
Do not execute the binaries on a main machine or with real credentials until independently reviewed; prefer a sandbox or dedicated low-privilege environment.
Anyone or anything controlling the tool with those credentials could trade on the account and potentially cause financial loss.
The skill asks for API credentials with futures-trading permission and shows passing the secret on the command line, then saving it locally for future use.
需要先使用 `save-key` 命令保存 Gate.io API 密钥 ... API 密钥需要 ... 启用期货交易权限 ... `--api-key YOUR_API_KEY --api-secret YOUR_API_SECRET`
Use a restricted Gate.io API key with no withdrawal permission, IP allowlisting, minimal limits, and easy revocation; avoid command-line secret entry if a safer input method is available.
A mistaken or autonomous invocation could open, close, or cancel positions and cause real financial loss.
The tool can place real futures orders and bulk-cancel orders, but the artifacts do not document enforced confirmations, limits, or containment around these high-impact actions.
`create-order` - 创建市价/限价订单(开仓/平仓) ... `cancel-price-orders` - 批量取消自动订单 ... 注意:创建订单会实际进行交易,请谨慎操作!
Require explicit user approval for every trade/cancel command, set small limits, verify contract/size/price before execution, and consider disabling autonomous use for this skill.