ClawHub

Base Trader

v1.1.1

Autonomous crypto trading on Base via Bankr. Use for trading tokens, monitoring launches, executing strategies, or managing a trading portfolio. Triggers on "trade", "buy", "sell", "launch", "snipe", "profit", "PnL", "portfolio balance", or any crypto trading task on Base.

24· 6.6k·25 current·29 all-time
by@sp0oby
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
VirusTotalVirusTotal
Benign
View report →
OpenClawOpenClaw
Suspicious
medium confidence
!
Purpose & Capability
The skill's stated purpose (autonomous trading via Bankr) is plausible and its instructions call Bankr commands to execute trades. However the skill metadata declares no required credentials or env vars while the runtime instructions explicitly rely on a Bankr config and an on-chain wallet (e.g., ~/.clawdbot/skills/bankr/config.json and ~/clawd/skills/bankr/scripts/bankr.sh). Delegating credentials to another skill (Bankr) is reasonable, but the lack of any declared relationship in metadata and inconsistent paths ('.clawdbot' vs 'clawd') is an incoherence that obscures what credentials/folders it will access.
!
Instruction Scope
SKILL.md instructs the agent to run external Bankr scripts at hardcoded paths, to read and write local data files (data/trades.json, data/performance.json), and to perform autonomous periodic actions (cron/heartbeat flows). It does not instruct reading arbitrary system files, but it assumes access to another skill's scripts/config and to wallet credentials that are not documented in the metadata. Several paths are inconsistent across files (e.g., ~/.clawdbot vs ~/clawd), which could cause misexecution or indicate sloppy packaging. The instructions give the agent broad discretion to run Bankr commands (buy/sell/set stop loss), which means if Bankr config contains keys, the skill can trade on the user's behalf.
Install Mechanism
There is no install spec (instruction-only plus two tiny scripts). That minimizes installer risk because nothing is downloaded at install time. The included shell scripts are small and readable; no network download/install steps are present in the repo itself.
!
Credentials
Metadata lists no required environment variables or credentials, yet SKILL.md requires a Bankr config file and an on-chain wallet to be present. The skill relies implicitly on credentials stored by the Bankr skill (or in the referenced config path) but does not declare or surface this in requires.env/primaryEnv. Additionally, the log script uses jq but the skill does not declare jq or other binary dependencies. This mismatch reduces transparency about what secrets and system state the skill will access.
Persistence & Privilege
The skill does not request always:true and does not modify other skills' configs. It runs autonomously if invoked (disable-model-invocation is false), which is the platform default — combine that with the ability to call trading commands and you'll get automated trading behavior, but the skill itself does not demand elevated platform persistence.
What to consider before installing
What to consider before installing/using this skill: - Transparency of credentials: The skill expects a Bankr configuration and an on-chain wallet but declares no required credentials. Inspect the Bankr skill and the config file (~/.clawdbot/skills/bankr/config.json or ~/clawd/skills/...) to see what secrets (API keys/private keys) it stores. Do not point it at a config that contains unlocked private keys unless you trust the Bankr skill and the environment. - Path inconsistencies: SKILL.md and README reference multiple different paths ('.clawdbot' vs 'clawd' and both ~$HOME and ~/clawd). Verify and correct these paths before running; mismatches could cause accidental use of different files or failure. - Autonomy risk: The skill instructs the agent to run bankr.sh to execute buys/sells. If you allow autonomous invocation, the agent could place real trades using whatever credentials Bankr exposes. If you keep it, prefer manual invocation or limit its permissions initially. - Inspect Bankr and bankr.sh: This skill delegates all network/trading actions to an external script (bankr.sh). Confirm that the bankr.sh you have installed is the legitimate Bankr integration you expect; inspect that script for endpoints and credential usage. - Small runtime tests: Before trusting live trading, run the check-portfolio and log-trade scripts manually to verify behavior. Use a read-only or test config and tiny amounts (or testnet) first. - Missing declared dependencies: The logging script uses jq but jq is not declared. Ensure required binaries are installed and consider running in a sandbox before granting network/wallet access. - Provenance and author: The repository/author metadata is unknown and the README references an odd username. Consider source provenance and prefer well-known/trusted integrations for money-handling skills. - If you proceed: (1) audit the Bankr config contents, (2) run the skill in sandbox/testnet, (3) restrict autonomous execution until you confirm safe behavior, and (4) keep small trade sizes and revoke keys if anything suspicious happens.

Like a lobster shell, security has layers — review code before you run it.

latestvk971d4kdjtzbdb8bs5nggnhpkh802x63

License

MIT-0
Free to use, modify, and redistribute. No attribution required.
Termshttps://spdx.org/licenses/MIT-0.html

Runtime requirements

📈 Clawdis

Comments