ClawHub
Skill flagged — suspicious patterns detected

ClawHub Security flagged this skill as suspicious. Review the scan results before using.

Trading Bot Suite: Complete 8-Guide Collection for Autonomous Trading Systems

v1.3.1

Everything you need to build, deploy, and operate autonomous trading bots. Covers arbitrage, copy trading, signal verification, strategy marketplaces, audit...

0· 94·0 current·0 all-time
by@mirni
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
Capability signals
Requires sensitive credentials
These labels describe what authority the skill may exercise. They are separate from suspicious or malicious moderation verdicts.
VirusTotalVirusTotal
Benign
View report →
OpenClawOpenClaw
Suspicious
medium confidence
!
Purpose & Capability
The skill's stated purpose is a collection of textual guides for building and operating trading bots. None of the guide text or metadata explains why an AGENT_SIGNING_KEY (a private signing credential) or a GREENHELIX_API_KEY are required to read or use documentation. Requiring a signing key for a documentation bundle is disproportionate and unexplained.
!
Instruction Scope
The SKILL.md is purely descriptive metadata and does not contain runtime steps that would need credentials, network calls, or system access. However the metadata (openclaw.requires.env) declares required environment variables that the instructions never reference — this mismatch increases risk because the skill could later be invoked expecting to use those creds even though no usage is documented.
Install Mechanism
No installer or code files are included (instruction-only). That minimizes risk from arbitrary code downloads or writes to disk.
!
Credentials
Two environment variables are required, including AGENT_SIGNING_KEY designated as the primary credential. AGENT_SIGNING_KEY sounds like a private key for agent authentication/signing; providing such a key to a third-party skill is high-privilege and not justified by a text bundle. The GREENHELIX_API_KEY may be reasonable if the bundle needed to call a GreenHelix service, but no such service is referenced. Overall the requested credentials are disproportionate to the described functionality.
Persistence & Privilege
The skill does not request always: true and has no install steps. It does not appear to modify other skills or system-wide settings. Autonomous invocation is allowed by default but is not combined here with other strong privileges.
What to consider before installing
Do not provide your AGENT_SIGNING_KEY or any private keys to this skill without clarification. Ask the publisher to explain exactly why each environment variable is required and to show the code or calls that use them (including endpoint URLs). Request a verifiable source or homepage and an explanation of the GREENHELIX service. If you must evaluate the content, do so by requesting a purely read-only copy of the guides (e.g., a downloadable PDF or GitHub repo) rather than supplying secrets. If you already supplied keys, rotate them immediately. Prefer minimal-scope API keys and avoid sharing any agent signing/private keys with third-party skills.

Like a lobster shell, security has layers — review code before you run it.

ai-agentvk97e9qtq7n1jf9pa1hxpb9788984ww9rarbitragevk97e9qtq7n1jf9pa1hxpb9788984ww9rauditvk97e9qtq7n1jf9pa1hxpb9788984ww9rbundlevk97e9qtq7n1jf9pa1hxpb9788984ww9rcopy-tradingvk97e9qtq7n1jf9pa1hxpb9788984ww9rfleet-managementvk97e9qtq7n1jf9pa1hxpb9788984ww9rgreenhelixvk97e9qtq7n1jf9pa1hxpb9788984ww9rguidevk97e9qtq7n1jf9pa1hxpb9788984ww9rlatestvk97e9qtq7n1jf9pa1hxpb9788984ww9ropenclawvk97e9qtq7n1jf9pa1hxpb9788984ww9rreputationvk97e9qtq7n1jf9pa1hxpb9788984ww9rrisk-managementvk97e9qtq7n1jf9pa1hxpb9788984ww9rtrading-botvk97e9qtq7n1jf9pa1hxpb9788984ww9r

License

MIT-0
Free to use, modify, and redistribute. No attribution required.
Termshttps://spdx.org/licenses/MIT-0.html

Runtime requirements

EnvAGENT_SIGNING_KEY, GREENHELIX_API_KEY
Primary envAGENT_SIGNING_KEY

Comments