ClawHub
Skill flagged — suspicious patterns detected

ClawHub Security flagged this skill as suspicious. Review the scan results before using.

xcard-trading

v1.0.0

Trade security tokens on the XCard platform — check balances, place orders, view market data, and review trade history.

0· 49·0 current·0 all-time
bysss3000@seineruo
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
VirusTotalVirusTotal
Benign
View report →
OpenClawOpenClaw
Suspicious
medium confidence
Purpose & Capability
Name/description (trade on XCard) aligns with the runtime instructions and the single required credential (an XCard API key). The documented endpoints cover account, market, orders, and history — all expected for a trading skill.
Instruction Scope
Instructions are narrowly scoped to calling the XCard API (base URL https://api.xcard.com/v1) and include sensible safety rules (explicit user confirmation, large-order warnings). They do not instruct reading unrelated files or exfiltrating data. Issues: some files use a different env-var placeholder ({XCard_API_KEY}) vs SKILL.md's declared XCARD_API_KEY (case inconsistency), and the error table in SKILL.md is malformed — these could lead to runtime confusion or misconfigured credentials.
Install Mechanism
Instruction-only skill with no install spec and no code files to write to disk, so there is no install-time code delivery risk.
Credentials
Only a single API key is required (appropriate for this purpose). However, the registry metadata shows 'Required env vars: [object Object]' and the skill's primary credential field is empty despite the SKILL.md declaring XCARD_API_KEY — this metadata mismatch is a packaging bug and should be resolved before trusting the skill. Ensure the key is scoped/minimal (ideally read-only for testing).
Persistence & Privilege
Skill is not always-included and uses default agent invocation settings. It does not request persistent system-wide privileges or modify other skills' configs.
What to consider before installing
This skill appears to implement the expected XCard trading API and asks only for a single XCARD_API_KEY, which is appropriate. Before installing: (1) verify the skill's source — the homepage is a placeholder (github.com/YOUR_USERNAME/...), so confirm the repository and maintainer; (2) fix/confirm the env-var name (SKILL.md uses XCARD_API_KEY but some module files show XCard_API_KEY) and ensure the registry metadata correctly declares the required env var; (3) test with a read-only or limited-scope API key (or a sandbox account) before giving it access to a live trading-capable key; (4) confirm the agent will require explicit user confirmation before placing orders (the skill includes safety rules, but verify the running agent enforces them); (5) monitor and rotate the API key after initial use. These issues look like packaging sloppiness rather than malice, but do not give this skill full trading credentials until you verify the code/source and key scoping.

Like a lobster shell, security has layers — review code before you run it.

latestvk975y5qm608hqp71gxs7w2dxad83jzwf

License

MIT-0
Free to use, modify, and redistribute. No attribution required.
Termshttps://spdx.org/licenses/MIT-0.html

Runtime requirements

📈 Clawdis
Env[object Object]

Comments