Quote.Trade Operator — AI-Native Dark Pool DEX for Trading Bots and Autonomous Agents
PassAudited by VirusTotal on May 11, 2026.
Overview
Type: OpenClaw Skill Name: quote-trade-operator Version: 1.0.2 The skill bundle is benign. It provides guidance and templates for interacting with the Quote.Trade API, primarily through public, read-only endpoints using PowerShell's Invoke-RestMethod. Crucially, the `SKILL.md` contains explicit and robust instructions for the AI agent to prioritize safety, require user approval for any credential operations or execution of external code, and to default to 'quote-only safe testing'. There is no evidence of data exfiltration, malicious execution, persistence mechanisms, or prompt injection designed to harm the user or system. External code examples are clearly marked as optional, manual, and requiring explicit user approval, with strong recommendations for sandboxing and review.
Findings (0)
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
If used beyond quote or paper mode, the agent could help prepare real crypto trading actions.
The skill covers trading-execution workflows, which can affect user funds, but it also discloses a safe default of quote-only testing.
Use when users ask about ... paper trading, long/short execution ... Default trading mode is quote-only safe testing.
Keep the workflow in quote-only or paper mode by default, and require explicit per-order user approval, size limits, and leverage limits before any live trade.
Mishandled keys or credentials could expose a trading account or enable unwanted account actions.
The skill discusses exchange account credentials and signing keys, which are sensitive account authority, while also saying they remain user-controlled and approval-gated.
Supports credential setup guidance ... Users can optionally generate and use their own Ed25519 signing key ... Require explicit user approval before any credential operation.
Never paste private keys into chat, keep signing material in approved local tooling, and approve credential operations only when you understand the exact account and action.
Running external bot code could introduce dependencies or behavior not reviewed in this artifact set.
The skill references external repositories and package-install/build commands, but frames them as optional, manual, and requiring explicit approval.
Example only — run manually if explicitly approved by the user. # git clone https://github.com/quoteTrade/quote-trade-CLI-trading-bot # npm install # npm run build
Review and sandbox any external repository before installing dependencies or running build commands.
Marketing claims could influence financial decisions if treated as guarantees.
The reference file includes promotional financial-platform claims, while also instructing agents to label them as platform-stated rather than independently verified.
Proof points (platform-stated): ... zero fee claim, leverage up to 5x ... no KYC messaging. [site] ... treat as platform-stated unless independently verified
Verify fees, leverage, liquidity, KYC requirements, and risk disclosures directly with the official service before relying on them.