ClawHub
Skill flagged — suspicious patterns detected

ClawHub Security flagged this skill as suspicious. Review the scan results before using.

Send to FMZ

v1.0.0

A specialized tool for sending quantitative trading signals to the FMZ platform via HTTP API.

0· 603·0 current·0 all-time
by@13290186019
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
VirusTotalVirusTotal
Suspicious
View report →
OpenClawOpenClaw
Benign
medium confidence
Purpose & Capability
Name/description match the code and SKILL.md: the handler sends JSON signals to FMZ's channel API. The single included Python file and the runtime instructions align with the declared purpose (FMZ trade signal transmission).
Instruction Scope
SKILL.md confines behavior to sending trade commands; the code does exactly that. However, SKILL.md claims 'Secure Communication: Uses a user-defined UUID' while the implementation uses a hardcoded MY_UUID constant and only suggests editing the source — there is no secure storage or env var for the UUID. Also the code broadcasts to node_id=0 (all robots), which is a behavior the docs don't emphasize as a risk.
Install Mechanism
Instruction-only with a small handler file; there is no install spec, no external downloads, and no archive extraction. Uses the requests library which is common but may need to be present in the runtime environment.
Credentials
The skill requests no environment variables or credentials (proportionate). However, it embeds a 'UUID' in code (MY_UUID) rather than accepting it as a declared/secret env var or parameter — this reduces security and makes secret management awkward. The code does not require unrelated credentials or access.
Persistence & Privilege
Does not request permanent/always-on privilege. Flags show always:false and normal invocation behavior. The skill does not attempt to modify other skills or system-wide configs.
Assessment
This skill is generally what it says — it posts trade signals to FMZ — but review and tighten a few things before installing: (1) Replace the hardcoded MY_UUID with a secret passed via environment variable or secure input rather than editing the source, so the UUID isn't exposed in code. (2) Confirm the use of node_id=0 (broadcast) is intended — broadcasting will send the signal to all robots and can have unintended effects. (3) Ensure the runtime has the requests package or adapt the code to available HTTP tooling. (4) Add response validation and error handling (check FMZ API response body) before assuming success. (5) Test in a safe/staging robot on FMZ to confirm behavior and rate limits before sending real trades.

Like a lobster shell, security has layers — review code before you run it.

latestvk977deweqv15ve6697grdy56n581er5k

License

MIT-0
Free to use, modify, and redistribute. No attribution required.
Termshttps://spdx.org/licenses/MIT-0.html

Comments