XT Exchange
v1.0.0XT.COM exchange CLI — spot & futures trading via progressive conversation. Market data, balance, orders, transfer, and withdrawal.
⭐ 0· 357·0 current·0 all-time
by0xH4rry@realm520
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
OpenClaw
Benign
high confidencePurpose & Capability
Name/description (XT.COM spot & futures CLI) matches the files and runtime instructions. Required binary (python3) and required env vars (XT_ACCESS_KEY, XT_SECRET_KEY) are appropriate and expected for an exchange CLI.
Instruction Scope
SKILL.md stays within the trading scope (market data, balance, orders, transfer, withdraw). It instructs the agent to check credentials via environment variables and ~/.xt-exchange/credentials.json and to run the included Python scripts. Caution: the examples use commands like `echo $XT_ACCESS_KEY` and `cat ~/.xt-exchange/credentials.json` which will print secrets to stdout/logs; the skill also suggests `pip3 install requests` which writes to disk. The skill relies on conversational confirmation before trades, but that confirmation is enforced by the agent workflow (not by external technical safeguards).
Install Mechanism
There is no opaque download/install step: this is instruction-plus-scripts. The SKILL.md includes an optional brew formula suggestion for python@3 only. The code files are included in the skill bundle and network calls go to XT.COM API hosts (sapi.xt.com, fapi.xt.com). No third-party or shortened URLs or archives are fetched by the install process.
Credentials
The skill requests only XT_ACCESS_KEY and XT_SECRET_KEY (primaryEnv XT_ACCESS_KEY) and will also read a local credentials file if present. No unrelated credentials, secrets, or system paths are requested. Note: storing keys in ~/.xt-exchange/credentials.json or echoing them to stdout can expose them to logs or other observers — the keys are powerful and should be scoped/restricted.
Persistence & Privilege
always:false and the skill is user-invocable. It does not request persistent platform-wide privileges or modify other skills. It can be invoked autonomously (platform default), which is normal; combined with trading permissions, that increases impact if keys are present, but that is an expected property of any trading skill.
Assessment
This skill appears to be what it says: it runs the included Python CLI scripts and calls XT.COM API endpoints. Before installing, consider: 1) Only provide an API key with the minimum permissions needed (e.g., read-only for market data; separate trading key without withdrawal permission if possible). 2) Prefer environment variables over storing keys in ~/.xt-exchange/credentials.json; avoid echoing keys into chat or logs. 3) Review the included scripts yourself (they are bundled) and verify network hosts are sapi.xt.com / fapi.xt.com. 4) Be aware the skill will run Python and may run `pip3 install requests` — run in an isolated environment if you are cautious. 5) Test with a low-permission or small-balance account first. 6) The skill relies on conversational confirmations before executing trades/withdrawals — these are procedural (agent-enforced), not cryptographic safeguards; treat API keys as sensitive and assume actions could occur if the agent or environment is compromised.Like a lobster shell, security has layers — review code before you run it.
latestvk975secsxtpdqj2czb022ta2118207e5
License
MIT-0
Free to use, modify, and redistribute. No attribution required.
Runtime requirements
Binspython3
EnvXT_ACCESS_KEY, XT_SECRET_KEY
Primary envXT_ACCESS_KEY