Neuro Scalp
v1.0.2AI-driven high-frequency crypto scalping bot for OKX with reinforcement learning, dynamic risk control, and real-time market data monitoring.
⭐ 0· 42·1 current·1 all-time
MIT-0
Security Scan
OpenClaw
Suspicious
high confidencePurpose & Capability
The project code implements an OKX trading bot as advertised, but the registry metadata claims no required env vars or primary credential while the code clearly expects OKX API credentials (OKX_API_KEY, OKX_SECRET, OKX_PASSPHRASE) and a Redis endpoint. SKILL.md instructs to copy .env.example -> .env but no .env.example is present in the bundle. Also code imports ccxt.pro while requirements.txt lists ccxt (mismatch). These metadata/instruction omissions are incoherent with the skill's purpose.
Instruction Scope
SKILL.md gives typical install/run steps but omits important runtime risks: the orchestrator will open live trading connections, consume/produce Redis pubsub channels and expose a dashboard. The code will load model checkpoints from disk with torch.load (unsafe for untrusted files) and will execute trades (create_order) when env creds are present. SKILL.md does not warn about the model-loading risk or about network exposure.
Install Mechanism
There is no separate install spec (instruction-only), which keeps risk lower than arbitrary downloads. Dependencies are provided in requirements.txt and a docker-compose file is included. However: code imports ccxt.pro (commercial ccxt.pro) but requirements list ccxt; this will cause runtime issues or require installing a commercial package. No remote code downloads or obfuscated installers were found.
Credentials
The code legitimately needs OKX API keys and optionally REDIS_URL, but registry metadata declares none. Requiring API keys for a trading bot is expected, but the mismatch (metadata vs code) is a red flag. Docker-compose shows example envs in plaintext. Also model checkpoint loading via torch.load means a provided model file becomes a sensitive trust boundary (it can execute code when loaded).
Persistence & Privilege
The skill does not request always:true and does not modify other skills or system-wide agent config. It runs as a normal service (can be invoked/autonomously by default), publishes to Redis, and serves a dashboard — typical for this type of tool. No excessive platform privileges were requested.
Scan Findings in Context
[loads-torch-checkpoint] unexpected: models/agent.py calls torch.load(model_path) / load_state_dict without validating the file source. torch.load can execute arbitrary code when loading malicious or tampered .pth files. While loading model weights is expected for an ML trading bot, this is a significant security risk unless model files are only sourced from fully trusted origins.
[uses-ccxt-pro] expected: core/data/feed.py imports ccxt.pro as ccxt which is expected for low-latency exchange websocket access, but requirements.txt only lists ccxt==4.1.18 (ccxt.pro is a separate/commercial package). This mismatch will break installation or require manual installation of ccxt.pro.
[reads-exchange-credentials-from-env] expected: config/settings.yaml and main.py reference OKX_API_KEY, OKX_SECRET, and OKX_PASSPHRASE — expected for an exchange-integrated trading bot. The registry metadata however did not declare these required env vars, which is an inconsistency.
[redis-pubsub-forwarding] expected: dashboard/app.py subscribes to Redis channels and forwards messages over WebSocket to clients. This is expected for a live dashboard but means Redis must be protected; otherwise, dashboard clients could receive sensitive trading data if exposed publicly.
What to consider before installing
This repository appears to implement the advertised OKX scalping bot, but I recommend caution before installing or running it with real credentials.
Key actions to consider before use:
- Do not run with real OKX API keys on any machine you care about until you audit and test in isolation. The code will execute live orders when keys are present.
- Treat model checkpoint files as a trust boundary. torch.load can execute arbitrary code when loading malicious .pth files — only load checkpoints you or a trusted party produced. Consider disabling automatic model loading or sandboxing the process.
- The registry metadata is inconsistent: the bundle fails to declare required environment variables (.env.example is missing). Expect to supply OKX_API_KEY, OKX_SECRET, OKX_PASSPHRASE and secure your Redis instance (do not expose ports publicly).
- Resolve dependency mismatches (ccxt.pro import vs ccxt in requirements) and test in a disposable, network-isolated environment (e.g., throwaway VM or container) using OKX testnet credentials first.
- If you plan to expose the dashboard, put it behind authentication and do not bind it to 0.0.0.0 on an internet-facing host without proper access controls.
If you want, I can: (1) list the exact places to harden (code lines to change) to mitigate torch.load risk; (2) produce an installation checklist to run safely in testnet; or (3) produce a minimal audit patch that refuses to load model files unless signed/trusted.Like a lobster shell, security has layers — review code before you run it.
latest
License
MIT-0
Free to use, modify, and redistribute. No attribution required.
SKILL.md
Neuro Scalp - AI 加密货币剥头皮交易机器人
🤖 技能描述
AI 驱动的高频量化交易机器人,专为加密货币剥头皮策略设计。
✨ 核心功能
- 交易平台: OKX 合约/现货(支持测试网)
- 运行模式: 7x24 全自动交易
- AI 核心: 强化学习 (PPO/SAC) + LSTM + 在线学习
- 交易策略: 订单簿失衡、流动性扫描、均值回归、动量策略
- 风控系统: 动态仓位管理、自动止损、每日熔断机制
🛠️ 技术架构
- 数据层: WebSocket 实时行情、Redis 高速缓存
- 特征工程: 订单簿失衡、微价格、波动率压缩检测
- 执行引擎: PostOnly 挂单、滑点控制
- 监控面板: FastAPI + Plotly 实时可视化
📦 安装说明
- 克隆技能:
clawhub install neuro-scalp - 安装依赖:
pip install -r requirements.txt - 配置环境变量:
cp .env.example .env - 运行:
python main.py
⚠️ 风险提示
- 仅供学习研究使用
- 实盘交易存在风险
- 建议先测试网验证
- 务必设置合理止损
💰 定价
- 基础版: 免费(测试网 + 基础策略)
- 高级版: $9.99/月(实盘 + 全部功能)
- 终身版: $49.99(一次买断)
📝 版本
v1.0.0 | MIT License
Files
21 totalSelect a file
Select a file to preview.
Comments
Loading comments…