ClawHub
Skill flagged — suspicious patterns detected

ClawHub Security flagged this skill as suspicious. Review the scan results before using.

msx trade

v1.0.0

Trade security tokens on the MSX platform — check balances, place orders, view market data, and review trade history.

0· 50·0 current·0 all-time
bysss3000@seineruo
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
VirusTotalVirusTotal
Benign
View report →
OpenClawOpenClaw
Suspicious
medium confidence
Purpose & Capability
Name/description (MSX trading) match the declared runtime behavior: calling MSX REST endpoints for account, market, orders, and history. The only declared credential (MSX_API_KEY) is appropriate for that purpose.
Instruction Scope
SKILL.md and module files constrain actions to MSX API calls (base URL https://api.msx.com/v1) and explicitly require the X-API-KEY header. The skill instructs the agent to request confirmation before placing orders and to never log or expose the API key. There are no instructions to read unrelated local files, scan system state, or call other external endpoints.
Install Mechanism
No install spec or code files that would be written to disk — instruction-only skill. This is the lowest-risk install mechanism.
Credentials
Only MSX_API_KEY is requested in SKILL.md, which is proportionate for trading. However registry metadata in the provided manifest shows a rendering glitch ('Required env vars: [object Object]') and the registry fields list 'Primary credential: none' despite the SKILL.md declaring MSX_API_KEY — this mismatch and the placeholder homepage reduce confidence and should be resolved before trusting the skill.
Persistence & Privilege
Skill is not always-on and is user-invocable (defaults). Autonomous invocation (disable-model-invocation=false) is allowed by default — not itself a flaw, but because the skill can execute trades, users should be aware of the financial risk. The SKILL.md includes explicit confirmation rules that mitigate some risk.
What to consider before installing
This skill's behavior appears coherent for an MSX trading client and it only asks for MSX_API_KEY, but proceed cautiously: (1) The source/homepage URL is a placeholder (https://github.com/YOUR_USERNAME/...) and the registry metadata has formatting/mapping issues — verify the publisher and repository before installing. (2) Prefer using a least-privilege or demo API key and test with minimal funds. (3) If you don't want the agent to place trades autonomously, disable autonomous invocation or require explicit confirmations in policy. (4) Confirm the real project repo and review its code (if available) to ensure there are no hidden endpoints or data exfiltration paths. (5) Only grant the API key if you trust the skill's origin and have verified the MSX API base URL and expected permissions.

Like a lobster shell, security has layers — review code before you run it.

latestvk97d434fapwb0rrvy5akfheke583k7vg

License

MIT-0
Free to use, modify, and redistribute. No attribution required.
Termshttps://spdx.org/licenses/MIT-0.html

Runtime requirements

📈 Clawdis
Env[object Object]

Comments