Cryptocurrency Trader
v0.1.0Production-grade AI trading agent for cryptocurrency markets with advanced mathematical modeling, multi-layer validation, probabilistic analysis, and zero-hallucination tolerance. Implements Bayesian inference, Monte Carlo simulations, advanced risk metrics (VaR, CVaR, Sharpe), chart pattern recognition, and comprehensive cross-verification for real-world trading application.
⭐ 11· 3k·12 current·14 all-time
byVeera@veeramanikandanr48
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
Capability signals
These labels describe what authority the skill may exercise. They are separate from suspicious or malicious moderation verdicts.
OpenClaw
Suspicious
medium confidencePurpose & Capability
The codebase (many trading, pattern-recognition, backtesting modules plus an LLM conversational layer) is coherent with the stated purpose of an AI cryptocurrency trading agent. However the registry metadata and SKILL.md claim 'Required env vars: none' while the code (llm_trading_assistant.py) clearly expects OPENAI_API_KEY or ANTHROPIC_API_KEY (or an explicit api_key argument). That omission is inconsistent — LLM integration is reasonable for this skill, but the metadata should declare those credentials.
Instruction Scope
SKILL.md instructs running CLI commands and to 'pip install -r requirements.txt', and requests an Internet connection and knowledge of user account balance. The runtime instructions do not mention reading environment variables for LLM providers or possibly exchange API keys, yet the code reads OPENAI_API_KEY/ANTHROPIC_API_KEY from the environment. The instructions are otherwise narrowly scoped to trading flows, but the omission of required env vars and lack of disclosure about network calls and external API usage is a scope/visibility problem.
Install Mechanism
No install spec was declared in the registry, yet the package contains a requirements.txt and the PRODUCTION_READY_SUMMARY includes unzip/cp installation instructions and a pip install -r requirements.txt step. There are no suspicious external download URLs in the provided manifest. The install approach relies on pip (requirements.txt) which is normal, but the registry metadata should reflect that and list the dependency file so users know what will be installed.
Credentials
The declared 'Required env vars: none' is inconsistent with code usage of LLM API keys (OPENAI_API_KEY / ANTHROPIC_API_KEY). The code will also perform network I/O for market data and may require exchange credentials (MarketDataProvider/ccxt-style exchanges) although exchange keys are not declared. Requesting or using LLM keys and potentially exchange API keys is proportionate to the skill's purpose, but the missing declaration is a red flag — users aren't being informed of what secrets will be needed or used.
Persistence & Privilege
The skill does not request always:true and does not declare system-wide config changes. Installation/install-spec (per PRODUCTION_READY_SUMMARY) writes files only into a user skill directory (~/.claude/skills/...), which is normal for a skill. There is no evidence in the provided files of attempts to modify other skills' configs or escalate privilege.
What to consider before installing
This package contains substantial source code and an LLM-powered interface; do not install blindly. Before running or installing: 1) Inspect requirements.txt to see which third-party packages will be installed. 2) Search the source (e.g., llm_trading_assistant.py, market/data_provider.py) for references to environment variables (OPENAI_API_KEY, ANTHROPIC_API_KEY, BINANCE_API_KEY, SECRET, TOKEN, etc.) and endpoints the code contacts. 3) Confirm whether the market data code uses public REST endpoints or requires exchange API keys; if it requires exchange keys, provide them only in a controlled, minimal-permission account. 4) Run the code in an isolated environment (container or VM) and with dummy API keys first. 5) If you plan to use the LLM integration, prefer passing API keys explicitly to constructors rather than relying on environment variables so you know what is being used. 6) Do not connect real trading accounts or use real funds until you have reviewed tests, logs, and run dry runs/backtests. 7) If you need to trust this skill long-term, ask the publisher for source provenance and a signed release; currently the registry lists an unknown source and no homepage, increasing the need for manual review.Like a lobster shell, security has layers — review code before you run it.
latestvk9769mm46ndhvc2pqmvavefzhh80939k
License
MIT-0
Free to use, modify, and redistribute. No attribution required.