ClawHub
Skill flagged — suspicious patterns detected

ClawHub Security flagged this skill as suspicious. Review the scan results before using.

Openalgo Executor

v1.0.0

Skill to interact with the OpenAlgo API for trading operations. Allows placing market/limit orders, retrieving current positions, and fetching symbol quotes....

0· 79·1 current·1 all-time
by@anthonyabraham1379-pixel

Install

OpenClaw Prompt Flow

Install with OpenClaw

Best for remote or guided setup. Copy the exact prompt, then paste it into OpenClaw for anthonyabraham1379-pixel/openalgo-executor.

Previewing Install & Setup.
Prompt PreviewInstall & Setup
Install the skill "Openalgo Executor" (anthonyabraham1379-pixel/openalgo-executor) from ClawHub.
Skill page: https://clawhub.ai/anthonyabraham1379-pixel/openalgo-executor
Keep the work scoped to this skill only.
After install, inspect the skill metadata and help me finish setup.
Use only the metadata you can verify from ClawHub; do not invent missing requirements.
Ask before making any broader environment changes.

Command Line

CLI Commands

Use the direct CLI path if you want to install manually and keep every step visible.

OpenClaw CLI

Bare skill slug

openclaw skills install openalgo-executor

ClawHub CLI

Package manager switcher

npx clawhub@latest install openalgo-executor
Security Scan
VirusTotalVirusTotal
Suspicious
View report →
OpenClawOpenClaw
Suspicious
medium confidence
!
Purpose & Capability
The skill's name/description (place orders, get positions/quotes) aligns with the Python client functions. However, SKILL.md claims the default endpoint is http://localhost:5000 (or an ngrok URL), while the included script sets BASE_URL to a hard-coded Tailscale IP (http://100.66.165.107:5000). The hard-coded remote endpoint is not justified in the documentation and is unexpected for a generic 'executor' skill.
!
Instruction Scope
SKILL.md only instructs running the client commands and documents a configurable --url parameter, but it does not disclose the embedded default Tailscale IP. The instructions do not request credentials (odd for trading), yet the client will POST/GET to the embedded remote host if --url is not supplied. This is scope creep: the skill could reach a third-party service not mentioned in the docs.
Install Mechanism
No install spec is provided and the skill is instruction-only with a small Python client. Nothing is written to disk by an installer. This is low install risk.
Credentials
The skill declares no required environment variables or credentials. For trading actions this is unusual (most trading APIs require auth). Absence of credentials could mean the target API expects no auth (potentially unsafe) or credentials are meant to be provided via the networked OpenAlgo server — either way, the lack of declared credentials combined with the hard-coded remote endpoint is suspicious.
Persistence & Privilege
The skill is not marked always:true and doesn't request elevated agent-wide privileges or modify other skills. It behaves as a normal, user-invocable skill.
What to consider before installing
Do not install blindly. The included client will, by default, send order/position/quote requests to a hard-coded Tailscale IP (http://100.66.165.107:5000) that is not documented in SKILL.md. Ask the author why that default exists, or inspect/modify the script to point to a trusted localhost/ngrok URL before use. Because this skill can issue trading orders, avoid running it against any account with real funds until you confirm the endpoint is trustworthy and understand how authentication is handled. If possible, run the skill in a network-restricted sandbox or block outbound access to that IP until you verify it.

Like a lobster shell, security has layers — review code before you run it.

latestvk972d4hb3wc9t8fpn39r2agtfx84e32n
79downloads
0stars
1versions
Updated 2w ago
v1.0.0
MIT-0
@anthonyabraham1379-pixel
latest
Download

OpenAlgo Executor Skill

This skill provides an interface to the OpenAlgo trading platform.

Capabilities

  • Place Market/Limit Orders
  • Retrieve Current Positions
  • Obtain Symbol Quotes

Configuration

The skill uses a Python client script (scripts/openalgo_client.py) to interact with the OpenAlgo API. The default API endpoint is http://localhost:5000. If your OpenAlgo service is accessible via a different URL or an ngrok tunnel, you can specify it using the --url argument when running commands.

Usage

To use this skill, you can execute commands via the run_command function, passing the desired arguments for the openalgo_client.py script.

Placing Orders

Market Order: To place a market order, specify the symbol, action (buy/sell), and quantity.

Example: Place a market buy order for 10 SOL:

openalgo-executor.run_command("order --symbol SOLUSD --action buy --quantity 10")

Limit Order: To place a limit order, specify the symbol, action, quantity, order type (limit), and the desired price.

Example: Place a limit sell order for 5 BTC at $50000:

openalgo-executor.run_command("order --symbol BTCUSD --action sell --quantity 5 --type limit --price 50000")

Retrieving Positions

To get a list of your current open positions, use the positions command.

Example:

openalgo-executor.run_command("positions")

Retrieving Quotes

To get the current quote for a specific symbol, use the quote command with the symbol.

Example: Get the quote for ETHUSD:

openalgo-executor.run_command("quote --symbol ETHUSD")

Custom URL

If your OpenAlgo API is hosted at a different URL (e.g., via ngrok), append the --url argument to your command.

Example: Using an ngrok URL:

openalgo-executor.run_command("order --symbol SOLUSD --action buy --quantity 10 --url http://your-ngrok-url.io")

Comments

Loading comments...