Apex Trading & Analysis
v1.0.3Trade and monitor ApeX perpetual futures. Check balances, view positions with P&L, place/cancel orders, execute market trades, or submit trade reward enrollments. Use when the user asks about ApeX trading, portfolio status, crypto positions, activity enrollments, or wants to execute trades on ApeX.
⭐ 7· 2.9k·5 current·5 all-time
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
OpenClaw
Suspicious
high confidencePurpose & Capability
The code and SKILL.md clearly implement ApeX trading, portfolio, and market-analysis features which justify the listed dependencies (apexomni SDK, ethers-related libs, node-fetch). However the registry metadata claims no required environment variables or primary credential, while both SKILL.md and every private-operation script require APEX_API_KEY, APEX_API_SECRET, APEX_API_PASSPHRASE and APEX_OMNI_SEED. That mismatch (metadata says none; runtime needs multiple secrets including a seed phrase) is incoherent and concerning.
Instruction Scope
Runtime instructions are explicit: npm install then run the provided node scripts. SKILL.md and scripts limit external network calls to ApeX endpoints and CoinGecko (both expected). The instructions do not instruct the agent to read unrelated system files, but they do show examples of passing full credentials in the environment when invoking commands. SKILL.md also includes trigger phrases and defaults (reward id 300001) which are acceptable but should be noted.
Install Mechanism
There is no formal install spec in the registry (instruction-only), but the code contains a package.json and requires running `npm install` in the scripts folder. Dependencies come from npm (package-lock entries look standard) — no arbitrary download URLs were used. The apexomni-connector-node dependency is pinned to an '0.3.2-alpha.1' release (an alpha release), which raises moderate risk because it may be unreviewed/unstable; otherwise the install mechanism is standard npm usage.
Credentials
Private operations require multiple sensitive environment variables: APEX_API_KEY, APEX_API_SECRET, APEX_API_PASSPHRASE and APEX_OMNI_SEED (seed phrase/private key). Such secrets are proportionate for a trading client, but the registry metadata does not declare them — meaning an agent/platform might not surface the required secrets to the user up-front. The presence of a seed phrase (APEX_OMNI_SEED) is high-privilege and should be handled with extreme care (never provide it to remote/cloud agents unless you trust execution environment).
Persistence & Privilege
The skill is not always-enabled and is user-invocable (normal). It writes a local trading-state.json file inside the skill directory (scripts/check-positions.mjs) but does not request system-wide config changes or modify other skills. Autonomous invocation is allowed by default on the platform (disable-model-invocation=false), which is typical; combine that with providing live credentials only if you trust the agent environment.
What to consider before installing
This skill is functionally consistent with an ApeX trading client, but there are two red flags you should address before installing or giving it secrets: (1) the registry metadata incorrectly lists no required environment variables while the SKILL.md and all scripts require APEX_API_KEY, APEX_API_SECRET, APEX_API_PASSPHRASE and APEX_OMNI_SEED (a seed phrase/private key), and (2) the SDK dependency is an 'alpha' npm release. Practical recommendations: do not provide your live Omni seed to a remote or cloud-hosted agent; prefer testnet or read-only credentials for initial testing; confirm the origin of apexomni-connector-node on npm (and audit that package); run npm install and the scripts in an isolated sandbox (or container) first; restrict API key permissions where possible (avoid withdrawal or full admin rights); and ask the skill author or publisher for a canonical source/homepage and an explanation for why the registry metadata omitted the required env vars. If you are not comfortable auditing the code and dependencies yourself, avoid supplying the seed or use only a testnet account.Like a lobster shell, security has layers — review code before you run it.
latestvk977t890ntcp5qjyfgh685fwp180zbfh
License
MIT-0
Free to use, modify, and redistribute. No attribution required.