ClawHub
Skill flagged — suspicious patterns detected

ClawHub Security flagged this skill as suspicious. Review the scan results before using.

xcard trade

v1.0.0

Trade crypto perpetual futures on XCard — view positions, place orders, monitor funding rates, and manage margin.

0· 47·0 current·0 all-time
bysss3000@seineruo
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
VirusTotalVirusTotal
Benign
View report →
OpenClawOpenClaw
Suspicious
medium confidence
Purpose & Capability
The SKILL.md describes exactly the trading actions you'd expect (market data, orders, positions) and requires an XCard API key — that matches the stated purpose. HOWEVER the registry metadata printed as "Required env vars: [object Object]" and the package lists no primary credential; the SKILL.md does require XCARD_TRADE_API_KEY. This mismatch between the skill file and the registry record is an integrity/provenance concern.
Instruction Scope
Instructions confine the agent to calling XCard API endpoints, displaying timestamps, calculating liquidation, and requiring explicit confirmation before placing orders. There are no instructions to read unrelated files, other env vars, or to send data to third-party endpoints.
Install Mechanism
This is an instruction-only skill with no install steps and no code files. That minimizes installation-level risk (nothing is written to disk by an installer).
!
Credentials
The SKILL.md legitimately needs one API key (XCARD_TRADE_API_KEY) which is proportionate for trading. The concern is the registry/output inconsistency (env shown as '[object Object]' and 'Primary credential: none'), which could hide required secrets or be a sign of an incomplete/incorrect publishing process. Also the skill will perform order placement — you should only provide a key with precisely scoped permissions (no withdrawals, limited trading scope) and audit key scope before use.
Persistence & Privilege
The skill is not always-enabled and uses default agent invocation behavior. It does not request persistent system privileges or modify other skills. No install-time persistence is present.
What to consider before installing
This skill appears to implement a normal trading API (market data, positions, orders) and only needs an XCard API key — but two red flags mean you should be cautious: (1) the registry metadata output is broken (shows '[object Object]') and the listing shows no primary credential while SKILL.md expects XCARD_TRADE_API_KEY; (2) the homepage points to a placeholder GitHub path (YOUR_USERNAME) and the source is 'unknown'. Before installing or providing any API key, verify the skill's publisher and repository (ask the publisher for a real repo and review it), confirm the exact environment variable name and required scopes, and only grant a minimally-permissioned API key (disable withdrawals, restrict IPs if supported, limit leverage/trading permissions if possible). Test using read-only queries first, and if you allow order placement, start with a small/sandbox account or subaccount key. If the publisher cannot explain the metadata mismatch and provide a real source repo, do not trust the skill with live API keys.

Like a lobster shell, security has layers — review code before you run it.

latestvk970qp6gnd2rcatbyb7922vbg583jp4f

License

MIT-0
Free to use, modify, and redistribute. No attribution required.
Termshttps://spdx.org/licenses/MIT-0.html

Runtime requirements

📊 Clawdis
Env[object Object]

Comments