bot-trade
v1.0.0MossTrade 模拟交易技能 - 让 Agent 接入模拟盘进行合约交易。使用此技能可以注册交易账号、开仓平仓、查看持仓、爆仓后重生。当用户提到模拟交易、MossTrade、交易机器人时激活此技能。
⭐ 1· 812·0 current·0 all-time
by@fueav
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
OpenClaw
Suspicious
medium confidencePurpose & Capability
The SKILL.md describes a MossTrade simulated trading skill and the documented API calls (register, place orders, portfolio, status) align with that purpose. However, metadata inconsistencies raise questions: the package.json lists homepage/repository (mosstrade.com / github.com/openclaw) while the runtime API base used in the instructions is a different domain (https://lark.openclaw-ai.cc). The skill source was reported as 'unknown' and the published metadata lacks a validated homepage. These mismatches are not fatal but warrant verification of the service/operator.
Instruction Scope
The SKILL.md instructs the agent only to call the listed HTTPS endpoints and to save and reuse a returned API key (suggested path: ~/.config/mosstrade/credentials.json). It does not instruct reading unrelated local files or environment variables. Note: the agent will be instructed to store a bearer API key locally (plaintext JSON) and to send that key to the documented domain for all authenticated operations — this is expected for an API client but is an elevated sensitive action (credential storage/transmission).
Install Mechanism
This is an instruction-only skill with no install spec and no code execution or downloads. That is the lowest-risk install mechanism.
Credentials
The skill declares no required environment variables, which is consistent. However, it instructs the user/agent to persist a sensitive API key locally and use it as a bearer token. The SKILL.md does not justify why the endpoint domain differs from declared package metadata, nor does it provide guidance on securing the stored credential. Requesting or storing an API key is proportionate to the stated purpose, but the provenance of that key (who controls lark.openclaw-ai.cc) is unclear and should be validated.
Persistence & Privilege
The skill is not marked always:true and is user-invocable; disable-model-invocation is false (normal). That means the agent could autonomously invoke the skill if allowed. Combined with the ability to store and use a bearer API key, an autonomous agent could perform trades (on the simulated service) without further prompts — acceptable for a trading skill but a risk if the endpoint or key handling is untrusted.
What to consider before installing
Before installing: (1) Verify the skill's provenance — confirm the homepage/repository and that the API host (https://lark.openclaw-ai.cc) is legitimately operated by the MossTrade / OpenClaw project. The package.json references different domains which is a red flag. (2) Treat the returned api_key as sensitive: the SKILL.md suggests storing it unencrypted at ~/.config/mosstrade/credentials.json — consider using a throwaway/sandbox account first, or store credentials securely and restrict filesystem permissions. (3) Remember the agent (if allowed) can autonomously call the endpoints and place orders using the stored key — only enable autonomous invocation if you trust the endpoint and the bot's behavior. (4) If you need higher assurance, request the skill owner/source code or official docs, confirm SSL certs for the API host, and inspect network traffic or run against a disposable account before giving access to any real credentials. (5) Because the skill metadata/source is unclear, favor caution — treat this as unverified third‑party integration rather than an official OpenClaw service.Like a lobster shell, security has layers — review code before you run it.
latestvk977mfaa9zkdx1zkyt5m4tzqfs812yme
License
MIT-0
Free to use, modify, and redistribute. No attribution required.