ClawHub

nexustrader

v1.0.5

NexusTrader trading assistant. Query crypto balances, positions, prices, and place orders on Binance, Bybit, OKX, Bitget, HyperLiquid.

0· 93·0 current·0 all-time
by@quantweb3-scott
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
VirusTotalVirusTotal
Pending
View report →
OpenClawOpenClaw
Benign
high confidence
Purpose & Capability
Name/description match the actual code and instructions. The skill needs python3, the 'uv' CLI, and the fastmcp Python package to operate a local MCP server and call exchange-backed tools; it reads local .keys/.secrets.toml for API keys which is necessary for trading.
Instruction Scope
SKILL.md and bridge.py keep behavior narrowly scoped to interacting with a local MCP server (default 127.0.0.1:18765) and reading .env and the project's .keys/.secrets.toml. The skill relies on the agent/user to confirm order operations (the code does not itself enforce an interactive confirmation flow), and it allows an opt-in auto-start of a background daemon which, if enabled, will hold access to API keys. These are documented but are important operational considerations.
Install Mechanism
There is no automatic remote install specified in the skill registry. Provided install.sh is a local helper that expects the user to clone the upstream GitHub repo and to install 'uv' themselves; it does not silently pull arbitrary code from untrusted servers. The script can update the local OpenClaw skill registry (index.json) when run, which is expected for an installer but worth noting.
Credentials
The only privileged credential is the local-file credential NEXUSTRADER_API_KEYS (.keys/.secrets.toml) — appropriate for a trading integration. The skill declares optional environment variables (NEXUSTRADER_PROJECT_DIR, NEXUSTRADER_MCP_URL, NEXUSTRADER_NO_AUTOSTART). Access to the API key file is high-privilege but proportional to the stated functionality. Be aware that enabling auto-start gives the daemon continuous access to those keys.
Persistence & Privilege
The skill is not always:true and does not auto-enable itself by default. However, it can auto-start a background nexustrader-mcp daemon if the user opts in (NEXUSTRADER_NO_AUTOSTART=0). The install script can also modify ~/.openclaw/skills/index.json when run. These are documented behaviors but increase runtime persistence/privilege when the user enables them.
Assessment
This skill is internally coherent for running a local NexusTrader MCP bridge, but you should: (1) review and control the NexusTrader-mcp source you install (the installer expects you to git clone https://github.com/Quantweb3-com/NexusTrader-mcp), (2) start with testnet/demo keys and verify the workflow before using live keys, (3) keep auto-start disabled (NEXUSTRADER_NO_AUTOSTART=1) unless you understand and accept that a background daemon will hold access to your API keys, (4) inspect install.sh and bridge.py yourself before running them, and (5) remember the agent is responsible for confirming trades — the code documents that requirement but does not enforce a human-in-the-loop confirmation itself.

Like a lobster shell, security has layers — review code before you run it.

latestvk97b543ytjj9p57s0sebttz6ph83mxq3

License

MIT-0
Free to use, modify, and redistribute. No attribution required.
Termshttps://spdx.org/licenses/MIT-0.html

Runtime requirements

Binspython3, uv

Comments