Bitget Data
Automates multi-coin spot grid trading on Bitget with dynamic adjustments, risk management, portfolio monitoring, and analysis tools.
MIT-0 · Free to use, modify, and redistribute. No attribution required.
⭐ 0 · 76 · 0 current installs · 0 all-time installs
MIT-0
Security Scan
OpenClaw
Suspicious
high confidencePurpose & Capability
The name/description and the included scripts align: this is a full-featured Bitget grid trading toolkit (many deploy/monitor/optimizer scripts). However the package metadata claims no required env vars or binaries while the SKILL.md and many scripts assume Node.js and a local config.json with Bitget API credentials; that mismatch is unexpected and should be clarified.
Instruction Scope
SKILL.md tells the agent (and user) to write Bitget API credentials to a specific file (/Users/zongzi/.openclaw/workspace/bitget_data/config.json), run many 'node' scripts via absolute paths, add cron jobs, and rely on a local proxy (127.0.0.1:7897). The instructions therefore require filesystem access, long-running cron persistence, network/proxy access, and secrets storage. Those instructions stay within trading scope but they also prescribe actions (writing credentials to disk, scheduling tasks) that expand the skill's runtime privilege and persistence surface.
Install Mechanism
There is no install spec (instruction-only), which limits remote code downloads. However many JavaScript files are present and the SKILL.md assumes Node will be invoked. The registry did not declare Node or any runtime dependency — that's inconsistent and should be fixed (declare 'node' as required). No external archive/download URLs are present in the provided data.
Credentials
The metadata lists no required credentials, yet SKILL.md requires a Bitget API key/secret/passphrase stored in config.json. Worse: repository documentation contains at least one explicit API key/secret/passphrase example (MULTI_AGENT_SETUP_GUIDE shows what appear to be real credentials: bg_73063f99..., secret ecdc7020..., passphrase Lin12345). Embedding plaintext API credentials in files is a strong red flag (credential leakage or reuse). The skill also references a Feishu chatId/alerts in multi-agent config, implying notifications; these additional integrations increase credential scope without being declared.
Persistence & Privilege
always:false (good). But SKILL.md and other docs instruct creating cron jobs and multi-agent controllers that run periodically and can modify local configs (scheduling/persistence). That increases runtime persistence and blast radius; it's not inherently malicious but combined with embedded credentials and absolute-path scripts it's riskier and should be treated cautiously.
What to consider before installing
Key things to consider before installing or running this skill:
- Do not run it as-is. The repo contains many Node scripts that will execute trades if given API keys; running them with real keys can place real funds at risk.
- Plaintext credentials found in repository docs: treat them as compromised. If any of those keys are real, rotate/revoke them immediately and never reuse them.
- The registry metadata omitted required items: Node.js is required but not declared; the skill expects a config.json with Bitget apiKey/secret/passphrase even though requires.env lists none. Ask the publisher to fix the manifest and document runtime requirements.
- Prefer storing API credentials in a secure secret store or environment variables rather than a file in a workspace. If you must use config.json, restrict its filesystem permissions (chmod 600) and run in an isolated VM/container.
- Run first in simulation mode (isSimulation: true) or against a test account with zero funds. Ensure API keys have NO withdrawal permission and whitelist your IP(s).
- Review all shipped scripts (especially multi_agent_controller.js, cron setup, and any scripts that call external endpoints) to confirm they do exactly what you expect and do not exfiltrate data or post to third‑party endpoints.
- Because the skill creates cron tasks and long‑running agents, run it in a secure, monitored environment (dedicated VM/container) and audit cron/agent changes.
- Ask the publisher for: (1) removal of any hard-coded credentials from the repo, (2) a manifest declaring required binaries (node) and required secrets, and (3) a minimal example showing how to run in a safe test/simulated mode.
If you want, I can: (A) point to the exact files that contain the plaintext credentials and cron instructions, (B) list the minimal changes to run safely in simulation, or (C) produce a checklist for an internal code review before deployment.bitget-cli.js:89
Shell command execution detected (child_process).
quick-start.js:112
Shell command execution detected (child_process).
setup-cron.js:28
Shell command execution detected (child_process).
cancel-all-orders.js:10
Environment variable access combined with network send.
check-balance.js:10
Environment variable access combined with network send.
start-avax-matic.js:10
Environment variable access combined with network send.
start-btc-grid.js:10
Environment variable access combined with network send.
start-eth-xrp.js:10
Environment variable access combined with network send.
start-eth.js:9
Environment variable access combined with network send.
start-grids.js:11
Environment variable access combined with network send.
start-simple.js:11
Environment variable access combined with network send.
start-sol.js:10
Environment variable access combined with network send.
test-api-debug.js:10
Environment variable access combined with network send.
analyze-strategy.js:16
File read combined with network send (possible exfiltration).
apply-dynamic-grid.js:7
File read combined with network send (possible exfiltration).
apply-scheme-a-v2.js:12
File read combined with network send (possible exfiltration).
apply-scheme-a.js:12
File read combined with network send (possible exfiltration).
auto-monitor.js:11
File read combined with network send (possible exfiltration).
buy-bnb-limit.js:7
File read combined with network send (possible exfiltration).
buy-bnb-market.js:7
File read combined with network send (possible exfiltration).
buy-eth-market.js:7
File read combined with network send (possible exfiltration).
cancel-all-orders.js:16
File read combined with network send (possible exfiltration).
check-balance.js:15
File read combined with network send (possible exfiltration).
deploy-bnb-grid.js:7
File read combined with network send (possible exfiltration).
deploy-bnb-new.js:7
File read combined with network send (possible exfiltration).
deploy-conservative.js:10
File read combined with network send (possible exfiltration).
deploy-dynamic-grid.js:7
File read combined with network send (possible exfiltration).
deploy-eth-buys.js:7
File read combined with network send (possible exfiltration).
deploy-eth-grid.js:7
File read combined with network send (possible exfiltration).
deploy-highfreq-grids.js:10
File read combined with network send (possible exfiltration).
deploy-sell-orders.js:12
File read combined with network send (possible exfiltration).
deploy-ultra-grids-v2.js:10
File read combined with network send (possible exfiltration).
deploy-ultra-grids.js:18
File read combined with network send (possible exfiltration).
dynamic-adjust-v2.js:9
File read combined with network send (possible exfiltration).
dynamic-adjust.js:10
File read combined with network send (possible exfiltration).
dynamic-rebalance.js:12
File read combined with network send (possible exfiltration).
kline-analyzer.js:7
File read combined with network send (possible exfiltration).
monitor-fixed.js:14
File read combined with network send (possible exfiltration).
monitor-grid.js:14
File read combined with network send (possible exfiltration).
optimize-grids.js:16
File read combined with network send (possible exfiltration).
quant-trader.js:12
File read combined with network send (possible exfiltration).
quick-report.js:9
File read combined with network send (possible exfiltration).
redeploy-coins.js:9
File read combined with network send (possible exfiltration).
restart-final.js:9
File read combined with network send (possible exfiltration).
restart-grids-fixed.js:9
File read combined with network send (possible exfiltration).
restart-grids.js:9
File read combined with network send (possible exfiltration).
sell-btc-market.js:10
File read combined with network send (possible exfiltration).
smart-grid.js:16
File read combined with network send (possible exfiltration).
start-avax-matic.js:16
File read combined with network send (possible exfiltration).
start-btc-grid.js:16
File read combined with network send (possible exfiltration).
start-eth-simple.js:7
File read combined with network send (possible exfiltration).
start-eth-v2.js:7
File read combined with network send (possible exfiltration).
start-eth-v3.js:7
File read combined with network send (possible exfiltration).
start-eth-v4.js:7
File read combined with network send (possible exfiltration).
start-eth-v5.js:7
File read combined with network send (possible exfiltration).
start-eth-xrp.js:16
File read combined with network send (possible exfiltration).
start-grids.js:18
File read combined with network send (possible exfiltration).
start-simple.js:17
File read combined with network send (possible exfiltration).
start-sol.js:14
File read combined with network send (possible exfiltration).
test-api-debug.js:16
File read combined with network send (possible exfiltration).
test-grid-api.js:15
File read combined with network send (possible exfiltration).
test-order.js:9
File read combined with network send (possible exfiltration).
trade-analyzer.js:14
File read combined with network send (possible exfiltration).
Patterns worth reviewing
These patterns may indicate risky behavior. Check the VirusTotal and OpenClaw results above for context-aware analysis before installing.Like a lobster shell, security has layers — review code before you run it.
Current versionv1.0.0
Download ziplatest
License
MIT-0
Free to use, modify, and redistribute. No attribution required.
SKILL.md
Bitget Trader 🟦
Professional Bitget integration for automated grid trading and portfolio management.
🚀 Quick Start
Setup Credentials
Save to /Users/zongzi/.openclaw/workspace/bitget_data/config.json:
{
"apiKey": "bg_your_api_key",
"secretKey": "your_secret_key",
"passphrase": "your_passphrase",
"isSimulation": false
}
API Key Requirements
- Permissions: Spot Read + Spot Trade
- IP Whitelist: Recommended but optional
- Passphrase: Required (set when creating API key)
📊 Basic Commands
Check Balance
node /Users/zongzi/.openclaw/workspace/bitget_data/check-balance.js
Monitor Grid Status
node /Users/zongzi/.openclaw/workspace/bitget_data/monitor-grid.js
Start Grid Trading
node /Users/zongzi/.openclaw/workspace/bitget_data/start-simple.js
Cancel All Orders
node /Users/zongzi/.openclaw/workspace/bitget_data/cancel-all.js
🎯 Grid Trading System
Configuration
Edit /Users/zongzi/.openclaw/workspace/bitget_data/grid_settings.json:
{
"btc": {
"symbol": "BTCUSDT",
"gridNum": 50,
"priceMin": 63000,
"priceMax": 70000,
"amount": 20,
"maxPosition": 400,
"sellOrders": 10,
"buyOrders": 10
},
"eth": {
"symbol": "ETHUSDT",
"gridNum": 30,
"priceMin": 1800,
"priceMax": 2700,
"amount": 4,
"maxPosition": 150
}
}
Parameters
| Parameter | Description | Example |
|---|---|---|
symbol | Trading pair | BTCUSDT |
gridNum | Number of grid levels | 50 |
priceMin | Minimum price | 63000 |
priceMax | Maximum price | 70000 |
amount | USDT per order | 20 |
maxPosition | Max total position | 400 |
sellOrders | Max sell orders | 10 |
buyOrders | Max buy orders | 10 |
📈 Available Scripts
Core Trading
| Script | Purpose |
|---|---|
monitor-grid.js | Monitor all grid strategies |
start-simple.js | Start all grids |
cancel-all.js | Cancel all orders |
check-balance.js | Check account balance |
Analysis & Optimization
| Script | Purpose |
|---|---|
grid-optimizer.js | Optimize grid parameters |
kline-analyzer.js | Analyze K-line data |
trade-analyzer.js | Analyze trade history |
quick-report.js | Generate quick report |
Dynamic Adjustment
| Script | Purpose |
|---|---|
dynamic-adjust.js | Dynamic grid adjustment |
dynamic-rebalance.js | Portfolio rebalancing |
apply-scheme-a.js | Apply optimization scheme A |
Single Coin Operations
| Script | Purpose |
|---|---|
start-eth.js | Start ETH grid |
deploy-bnb-grid.js | Deploy BNB grid |
buy-eth-market.js | Buy ETH at market price |
🔧 Advanced Features
1. Multi-Coin Grid Support
Supports concurrent grid trading for multiple coins:
- BTCUSDT (Bitcoin)
- ETHUSDT (Ethereum)
- SOLUSDT (Solana)
- BNBUSDT (Binance Coin)
2. Dynamic Grid Adjustment
Automatically adjusts grid parameters based on:
- Market volatility
- Price trends
- Order fill rates
- Balance availability
3. Risk Management
- Position Limits: Configurable
maxPositionper coin - Order Throttling: Prevents API rate limiting
- Balance Check: Validates sufficient USDT before deployment
4. Comprehensive Logging
All operations logged to:
grid_monitor.log- Grid status updatesmonitor.log- General monitoring logstrade-analysis.log- Trade analysis results
📊 Reporting
Generate Reports
# Grid status report
node /Users/zongzi/.openclaw/workspace/bitget_data/monitor-grid.js
# Trade analysis
node /Users/zongzi/.openclaw/workspace/bitget_data/trade-analyzer.js
# Quick report
node /Users/zongzi/.openclaw/workspace/bitget_data/quick-report.js
Report Files
GRID_STATUS_REPORT.md- Current grid statusGRID_OPTIMIZATION_REPORT.md- Optimization suggestionsDYNAMIC_STRATEGY_REPORT.md- Dynamic strategy analysis
⚠️ Risk Warning
- Cryptocurrency trading involves significant risk
- Test with small amounts first
- Never invest more than you can afford to lose
- API keys should have NO withdrawal permissions
🔐 Security Best Practices
- API Key Permissions: Only enable Spot Read + Spot Trade
- IP Whitelist: Restrict API access to your IP
- No Withdrawal: Never enable withdrawal permissions
- Secure Storage: Keep config.json secure (chmod 600)
📝 File Structure
bitget_data/
├── config.json # API credentials
├── grid_settings.json # Grid configurations
├── monitor-grid.js # Main monitoring script
├── start-simple.js # Start all grids
├── cancel-all.js # Cancel all orders
├── check-balance.js # Check balance
├── grid-optimizer.js # Grid optimization
├── trade-analyzer.js # Trade analysis
├── dynamic-adjust.js # Dynamic adjustments
├── grid_monitor.log # Monitoring logs
└── SKILL.md # This file
🆘 Troubleshooting
Common Issues
1. Signature Mismatch
- Check API key format (should start with
bg_) - Verify secret key is correct
- Ensure system time is synchronized
2. Proxy Connection Failed
- Ensure proxy is running on port 7897
- Check ClashX/Shadowrocket status
- Try:
curl -x http://127.0.0.1:7897 https://api.bitget.com
3. Insufficient Balance
- Check USDT balance:
node check-balance.js - Reduce
amountorgridNumin grid_settings.json - Consider restoring original config from backup
4. Orders Not Filling
- Check grid price range covers current market price
- Verify order quantity meets exchange minimum
- Review grid spacing (may be too tight/wide)
📚 API Reference
Bitget API v2 Endpoints
| Endpoint | Method | Purpose |
|---|---|---|
/api/v2/spot/account | GET | Get account info |
/api/v2/spot/orders | GET | Get open orders |
/api/v2/spot/place-order | POST | Place order |
/api/v2/spot/cancel-order | POST | Cancel order |
/api/v2/spot/market-tickers | GET | Get market prices |
Signature Generation
const timestamp = new Date().toISOString().split('.')[0] + '.000Z';
const method = 'GET';
const path = '/api/v2/spot/account';
const body = '';
const signStr = timestamp + method + path + body;
const signature = crypto.createHmac('sha256', secretKey).update(signStr).digest('base64');
🎯 Quick Commands Reference
# Monitor all grids
node monitor-grid.js
# Start trading
node start-simple.js
# Stop trading (cancel all)
node cancel-all.js
# Check balance
node check-balance.js
# Optimize grids
node grid-optimizer.js
# Analyze trades
node trade-analyzer.js
# Generate report
node quick-report.js
Version: 1.0.0
Exchange: Bitget
Type: Spot Grid Trading
Last Updated: 2026-03-10
Files
137 totalSelect a file
Select a file to preview.
Comments
Loading comments…