Clap Trader
v1.0.0A skill for OpenClaw to research crypto market trends (technical & sentiment) and trade ETH on Binance.
⭐ 0· 758·1 current·1 all-time
by@dymx101
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
OpenClaw
Suspicious
medium confidencePurpose & Capability
The scripts (market_data, sentiment_data, logger, trade) implement the advertised functionality (indicators, RSS sentiment, logging, Binance trades). However the registry metadata declares no required environment variables or credentials while the SKILL.md and trade.py clearly require BINANCE_API_KEY and BINANCE_API_SECRET. That mismatch between declared requirements and actual code is incoherent and should be corrected/clarified by the author.
Instruction Scope
SKILL.md instructions are specific and align with the skill's purpose (how to run analysis, log, and execute trades). They instruct fetching external RSS feeds and making network calls to Binance via ccxt — expected for this functionality. Concerns: the SKILL.md command paths use 'skills/crypto_trader/scripts/...' but the distributed manifest lists scripts at top-level 'scripts/...'; log paths in code point to 'skills/crypto_trader/logs/...'. These path inconsistencies can lead to runtime errors or unexpected file creation locations.
Install Mechanism
There is no install spec (instruction-only install), which is lower risk. The README asks users to pip install common packages (ccxt, pandas, pandas-ta, requests, TextBlob) — reasonable for Python-based analysis/trading. No downloads from untrusted URLs or obfuscated installers were found.
Credentials
The only sensitive credentials used by the code are BINANCE_API_KEY and BINANCE_API_SECRET, which are appropriate for Binance trading. However the skill registry metadata omitted these required env vars; that omission is concerning because users may not realize they must provide API keys. No other unrelated credentials are requested.
Persistence & Privilege
The skill does write logs/trade history to local files under a 'logs' path, which is normal for a trading tool. It does not request always:true or modify other skills or system-wide settings. Autonomous invocation is allowed by default but not combined with elevated privileges here.
What to consider before installing
This skill appears to do what it says (market analysis + Binance trading), but there are clear inconsistencies you should address before running with real funds: 1) Do not provide your live BINANCE_API_KEY/BINANCE_API_SECRET until you confirm the packaging and paths — the registry metadata omitted these env vars and script paths in SKILL.md don't match the included files. 2) Inspect the code yourself (or have someone you trust review it). 3) When testing, use dry-run mode and/or a Binance testnet key with restricted permissions (disable withdrawals, limit IPs) and small amounts. 4) Run the skill in an isolated environment (container or VM) so logs and any files are contained. 5) Ensure the logs directory paths exist or correct the paths to where you intend logs to be written. If you cannot verify the author/source or fix the metadata/path issues, treat the skill as untrusted and avoid supplying real credentials.Like a lobster shell, security has layers — review code before you run it.
latestvk97e704mtmwzzrw7x9exgb6axd813dst
License
MIT-0
Free to use, modify, and redistribute. No attribution required.