ClawHub
Skill flagged — suspicious patterns detected

ClawHub Security flagged this skill as suspicious. Review the scan results before using.

msx trade

v1.0.0

Trade security tokens on the MSX platform — check balances, place orders, view market data, and review trade history.

0· 99·0 current·0 all-time
bysss3000@seineruo

Install

OpenClaw Prompt Flow

Install with OpenClaw

Best for remote or guided setup. Copy the exact prompt, then paste it into OpenClaw for seineruo/msx-trade.

Previewing Install & Setup.
Prompt PreviewInstall & Setup
Install the skill "msx trade" (seineruo/msx-trade) from ClawHub.
Skill page: https://clawhub.ai/seineruo/msx-trade
Keep the work scoped to this skill only.
After install, inspect the skill metadata and help me finish setup.
Required env vars: [object Object]
Use only the metadata you can verify from ClawHub; do not invent missing requirements.
Ask before making any broader environment changes.

Command Line

CLI Commands

Use the direct CLI path if you want to install manually and keep every step visible.

OpenClaw CLI

Bare skill slug

openclaw skills install msx-trade

ClawHub CLI

Package manager switcher

npx clawhub@latest install msx-trade
Security Scan
VirusTotalVirusTotal
Benign
View report →
OpenClawOpenClaw
Suspicious
medium confidence
Purpose & Capability
Name/description (MSX trading) match the declared runtime behavior: calling MSX REST endpoints for account, market, orders, and history. The only declared credential (MSX_API_KEY) is appropriate for that purpose.
Instruction Scope
SKILL.md and module files constrain actions to MSX API calls (base URL https://api.msx.com/v1) and explicitly require the X-API-KEY header. The skill instructs the agent to request confirmation before placing orders and to never log or expose the API key. There are no instructions to read unrelated local files, scan system state, or call other external endpoints.
Install Mechanism
No install spec or code files that would be written to disk — instruction-only skill. This is the lowest-risk install mechanism.
Credentials
Only MSX_API_KEY is requested in SKILL.md, which is proportionate for trading. However registry metadata in the provided manifest shows a rendering glitch ('Required env vars: [object Object]') and the registry fields list 'Primary credential: none' despite the SKILL.md declaring MSX_API_KEY — this mismatch and the placeholder homepage reduce confidence and should be resolved before trusting the skill.
Persistence & Privilege
Skill is not always-on and is user-invocable (defaults). Autonomous invocation (disable-model-invocation=false) is allowed by default — not itself a flaw, but because the skill can execute trades, users should be aware of the financial risk. The SKILL.md includes explicit confirmation rules that mitigate some risk.
What to consider before installing
This skill's behavior appears coherent for an MSX trading client and it only asks for MSX_API_KEY, but proceed cautiously: (1) The source/homepage URL is a placeholder (https://github.com/YOUR_USERNAME/...) and the registry metadata has formatting/mapping issues — verify the publisher and repository before installing. (2) Prefer using a least-privilege or demo API key and test with minimal funds. (3) If you don't want the agent to place trades autonomously, disable autonomous invocation or require explicit confirmations in policy. (4) Confirm the real project repo and review its code (if available) to ensure there are no hidden endpoints or data exfiltration paths. (5) Only grant the API key if you trust the skill's origin and have verified the MSX API base URL and expected permissions.

Like a lobster shell, security has layers — review code before you run it.

Runtime requirements

📈 Clawdis
Env[object Object]
latestvk97d434fapwb0rrvy5akfheke583k7vg
99downloads
0stars
1versions
Updated 1mo ago
v1.0.0
MIT-0
sss3000@seineruo
latest
Download

MSX Security Token Trading Skill

You are an AI trading assistant connected to the MSX platform via API. Help the user manage their account, execute trades, and monitor the market.

Authentication

All requests require the following header:

X-API-KEY: {MSX_API_KEY}

The key is stored in the environment variable MSX_API_KEY.
Base URL: https://api.msx.com/v1

⚠️ Never expose, log, or repeat the API key in any response.
If MSX_API_KEY is missing, ask the user to set it before proceeding.

Modules

This skill is split into four functional modules. Load the relevant file based on user intent:

ModuleFileCovers
Account & Portfolioapi-account.mdBalance, holdings, profile
Market Dataapi-market.mdQuotes, order book, candlesticks
Order Executionapi-orders.mdPlace, cancel, view orders
Trade Historyapi-history.mdPast trades, orders, fund flow

General Behavior Guidelines

  • Respond in the same language the user uses (Chinese or English).
  • For market data responses, always show the data timestamp.
  • For portfolio queries, present multiple positions as a table.
  • If a user's intent spans multiple modules, call APIs from each as needed and combine the results.

Error Handling

HTTP CodeMeaningTell the user
"401Invalid or missing API key
403Insufficient permissions"Insufficient permissions, confirm API KEY has required features enabled"
429Rate limit exceeded"Too many requests, please try again later"
404Resource not found"Token or order not found, please verify input"
500Server error"MSX service temporarily unavailable, please try again later"

Comments

Loading comments...