ClawHub
Skill flagged — suspicious patterns detected

ClawHub Security flagged this skill as suspicious. Review the scan results before using.

Crypto Scalper Bot

v1.0.0

Automated Binance Futures USDT-M scalping bot using RSI, EMA, Volume, Bollinger Bands, with auto SL/TP, Telegram alerts, and health monitoring.

0· 67·0 current·0 all-time
by@mail-eth

Install

OpenClaw Prompt Flow

Install with OpenClaw

Best for remote or guided setup. Copy the exact prompt, then paste it into OpenClaw for mail-eth/crypto-scalper-bot.

Previewing Install & Setup.
Prompt PreviewInstall & Setup
Install the skill "Crypto Scalper Bot" (mail-eth/crypto-scalper-bot) from ClawHub.
Skill page: https://clawhub.ai/mail-eth/crypto-scalper-bot
Keep the work scoped to this skill only.
After install, inspect the skill metadata and help me finish setup.
Use only the metadata you can verify from ClawHub; do not invent missing requirements.
Ask before making any broader environment changes.

Command Line

CLI Commands

Use the direct CLI path if you want to install manually and keep every step visible.

OpenClaw CLI

Bare skill slug

openclaw skills install crypto-scalper-bot

ClawHub CLI

Package manager switcher

npx clawhub@latest install crypto-scalper-bot
Security Scan
Capability signals
CryptoRequires sensitive credentials
These labels describe what authority the skill may exercise. They are separate from suspicious or malicious moderation verdicts.
VirusTotalVirusTotal
Benign
View report →
OpenClawOpenClaw
Suspicious
medium confidence
!
Purpose & Capability
The skill claims to be a Binance Futures scalper and the code indeed implements trading, Telegram alerts, and health checks. However the registry metadata lists no required environment variables or primary credential even though the code clearly requires BINANCE_API_KEY, BINANCE_API_SECRET (and optional TELEGRAM_BOT_TOKEN/TELEGRAM_CHAT_ID). This mismatch between claimed metadata and actual needs is an incoherence that can lead to accidental credential exposure or misuse.
!
Instruction Scope
SKILL.md instructs the user to create env files and run setup/strategy/QA scripts which is appropriate for a trading bot. But there are problematic instructions/behaviors: run_qa.sh actually invokes the trading script (futures_auto_trade.py) instead of the QA audit (qa_audit.py), so running the QA job may execute live trades unexpectedly. The Python scripts also search for env files in '/root/.openclaw/workspace/*', meaning they will pick up env files from an agent/workspace location beyond the repo — this increases the chance of accidently reading unrelated secrets.
Install Mechanism
No install spec is provided and there are no downloads; this is a code-bundle with scripts to run locally. That lowers install-time risk since nothing is fetched from external URLs, but the provided code will execute network calls and trading actions when run.
!
Credentials
The skill requires Binance API keys with read/write trading permissions and optional Telegram tokens to function — those are appropriate for a trading bot. However the registry metadata shows no required env vars (incoherent), and the code will also read env files from an agent workspace path which may expose keys stored elsewhere. The QA routine attempts an API order test (placing a reduceOnly MARKET order) which is a sensitive action and should be clearly documented/optional.
Persistence & Privilege
The skill does not request 'always: true' or any elevated platform privileges. It does not modify other skills' configurations. Its runtime behavior is limited to the files in the bundle and external network calls (Binance, Telegram).
What to consider before installing
This package is functionally a real Binance futures trading bot and will place live market orders if you run it with API keys that have trading permissions. Before installing or running: 1) Do not trust default metadata — the repo needs BINANCE_API_KEY and BINANCE_API_SECRET (and optionally Telegram values); verify and provision keys yourself. 2) Use API keys with the minimum necessary permissions (disable withdrawals, restrict by IP if possible) and test with a small balance or testnet keys. 3) Inspect and correct run_qa.sh (it currently runs the trading script instead of qa_audit.py) to avoid accidental trades when you expect only checks. 4) Remove or avoid storing secrets in shared workspace paths (the code looks in /root/.openclaw/workspace/*), or ensure workspace doesn't contain other sensitive env files. 5) Be aware qa_audit.py will attempt a test order (reduceOnly) — consider disabling that or replacing it with a non-order API call for testing. 6) Because the package source and homepage are unknown, prefer to run it in an isolated environment (VM/VPS) and review all code changes before giving it live API keys. If you want, I can list the exact lines that read workspace env paths and the commands in run_qa.sh/setup.sh that you should change.

Like a lobster shell, security has layers — review code before you run it.

latestvk97ebgat95zm8ynane2q0xb7a984z1a5
67downloads
0stars
1versions
Updated 1w ago
v1.0.0
MIT-0
@mail-eth
latest
Download

Crypto Trading Bot

Automated crypto scalping bot for Binance Futures USDT-M

Description

A complete crypto trading bot with multiple strategies:

  • Scalper: RSI + EMA + Volume based trading
  • Bollinger Bands: Mean reversion strategy
  • QA System: Auto health checks

Features

  • 6 trading pairs: BTC, ETH, SOL, BNB, XAU, XAG
  • Auto SL/TP management
  • Telegram notifications
  • System health monitoring
  • Backtest ready

Usage

# Setup credentials
nano binance.env
nano telegram.env

# Verify setup
bash setup.sh

# Run strategies
bash run_cycle.sh              # Scalper
bash run_mean_reversion.sh     # Bollinger
bash run_qa.sh                # QA check

Requirements

  • Python 3.8+
  • Binance Futures account
  • VPS (recommended)

Docs

See README.md for full installation guide.

Comments

Loading comments...