ClawHub

Trade History

v1.0.0

Read and display recent trade history from local JSONL log file. Use when asked about past trades, trade recap, performance review, or to list recorded signals.

0· 434·0 current·0 all-time
byIndra Riswana@newbienodes
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
VirusTotalVirusTotal
Benign
View report →
OpenClawOpenClaw
Suspicious
medium confidence
Purpose & Capability
Stated purpose (read/display local JSONL trade log) is plausible and the only declared runtime dependency is python3, which is proportional. However the SKILL.md hard-codes a specific log location (/home/windows_11/.openclaw/...) and a path to a read.py under ~/.npm-global/lib/node_modules/openclaw/skills/trade-history/read.py that is not part of this skill package — that is inconsistent with an instruction-only skill which should either operate on files already present or include the small script it needs.
!
Instruction Scope
The instructions tell the agent to execute a local Python script at a specific global path. The skill bundle contains no code to review, so the actual behavior of that script is unknown — it could read only the trades file or perform arbitrary actions. The SKILL.md also embeds a user-specific absolute log path rather than a configurable or relative path, limiting portability and raising the chance of unintended file access.
Install Mechanism
No install spec (instruction-only) is lower risk in general, but here it's problematic: the instructions assume a particular script is already installed under ~/.npm-global/lib/node_modules/... even though the registry package includes no files. That implicit dependency makes behavior environment-dependent and unverifiable.
!
Credentials
The skill requests no environment variables or credentials, which is appropriate. However, it references a hard-coded home-directory path and a global npm path; executing an unknown script with access to the filesystem without explicit bounds is disproportionate to the simple task of reading a JSONL file. The SKILL.md's guarantee (read-only, never modify) cannot be verified from the available materials.
Persistence & Privilege
The skill does not request 'always: true' and is user-invocable only; it does not request persistent privileges or modify other skills. Autonomous invocation remains possible (platform default) but is not combined here with elevated privileges.
Scan Findings in Context
[no_code_files_in_bundle] unexpected: The static scanner found no files to analyze. That is allowed for instruction-only skills, but SKILL.md references a read.py script that is not included—this mismatch is unexpected and prevents code review.
What to consider before installing
Do not run this skill until you verify the referenced Python script and the log path. Specifically: (1) Inspect the file ~/.npm-global/lib/node_modules/openclaw/skills/trade-history/read.py — do not execute it if you cannot review its contents; (2) Confirm or change the hard-coded log path (/home/windows_11/...) to a location you control, or require the skill accept a user-specified path; (3) Prefer a skill that includes its small read script in the package so you can review the code before execution; (4) If you must run it, run the script in a safe environment (non-production account, limited filesystem permissions) and back up the trades.jsonl file first. The main concerns are the missing script (unknown behavior) and the hard-coded absolute path that may read unexpected files.

Like a lobster shell, security has layers — review code before you run it.

latestvk976pxq2s6jza2wzr8vnf12n5d81mxhk

License

MIT-0
Free to use, modify, and redistribute. No attribution required.
Termshttps://spdx.org/licenses/MIT-0.html

Runtime requirements

📋 Clawdis
Binspython3

Comments