ClawHub
Skill flagged — suspicious patterns detected

ClawHub Security flagged this skill as suspicious. Review the scan results before using.

Trading Co-Agent Pro

v1.0.0

AI協助監控並修復交易腳本缺漏,主動執行和補救加密貨幣及股票自動交易,持續優化交易效能。

0· 64·0 current·0 all-time
by@chungvic
Security Scan
VirusTotalVirusTotal
Suspicious
View report →
OpenClawOpenClaw
Suspicious
medium confidence
!
Purpose & Capability
The skill's stated purpose is autonomous execution and remediation of live crypto/stock trades, but the package declares no required environment variables, no primary credential, and no required config paths. The included script expects a config.json (rpc_endpoints, tokens_to_monitor, trading_params, risk_limits) and the runtime behavior implies wallet/private-key or exchange API access for signing/sending transactions—none of which are declared or explained. This mismatch is disproportionate and incoherent with the stated capability.
!
Instruction Scope
SKILL.md directs the agent to run a 5-minute monitoring loop, 'actively execute trades', 'repair scripts', re-run failed trades, and perform emergency remediation. These instructions permit reading/writing logs, accessing configuration, editing/fixing scripts, and sending transactions. The instructions are broad and vague (e.g., '修復腳本', '做出決策並執行') and grant the agent wide discretion without explicit guardrails or limits, which is scope creep for a typical monitoring/helper skill.
Install Mechanism
There is no install specification (instruction-only plus a small Python script). Nothing is downloaded or installed by the registry spec, which minimizes supply-chain risk. The provided Python script is local and readable.
!
Credentials
Executing real trades would normally require sensitive secrets (wallet private keys or exchange API keys) and network credentials (RPC endpoints). The skill requests none of these in metadata; the script implicitly relies on a local config.json but no config path was declared. This under-declaration is a red flag: the skill either omits required sensitive inputs (poor design) or expects users to place secrets in unspecified locations (risky).
!
Persistence & Privilege
always is false (good), but model invocation is enabled (default), which means the agent could autonomously act on the broad trade-and-fix instructions. Combined with the vague instructions to modify scripts and perform live trades, autonomous invocation increases potential impact if credentials are provided or stored insecurely. The skill does not document user confirmation/approval steps for real trades.
What to consider before installing
This skill is internally inconsistent: it promises autonomous execution and repair of live trades but does not declare how it will obtain the sensitive credentials or config it needs. Before installing or enabling it consider: 1) Do not supply private keys or exchange API credentials until you inspect and approve where/how they are stored; prefer hardware wallets or exchange API keys with tightly scoped permissions. 2) Review and harden config.json usage: place credentials in a secure secrets manager and do not keep plaintext keys in repo. 3) Require explicit manual approval for any real-money trade (disable autonomous invocation or add confirmation steps). 4) Audit the code paths that would sign/send transactions and any code that edits other scripts. 5) If you plan to run it, run in a sandboxed environment with limited credentials and test thoroughly in simulation before granting live-trading access. If you want, provide the missing information (where credentials/config are expected and how script updates are applied) and I can re-evaluate.

Like a lobster shell, security has layers — review code before you run it.

coagentvk971wmgf48p5fh4qge6fe1zcqs847cd6latestvk971wmgf48p5fh4qge6fe1zcqs847cd6signalsvk971wmgf48p5fh4qge6fe1zcqs847cd6tradingvk971wmgf48p5fh4qge6fe1zcqs847cd6
64downloads
0stars
1versions
Updated 2w ago
v1.0.0
MIT-0
@chungvic
coagentlatestsignalstrading
Download

Trading Co-Agent Skill

AI 與交易腳本的協作共生系統。

核心原則

並存共生 (Coexistence)

  • 腳本監視,你也監視:每 5 分鐘檢查一次交易訊號
  • 腳本無智能,你有:腳本做不到的判斷,你來做
  • 腳本遺漏,你補上:發現腳本沒抓到的訊號,分析原因並修復
  • 腳本失敗,你補救:交易失敗時 investigation 並重新執行
  • 腳本出錯,你糾正:發現錯誤交易立即補救

工作循環 (每小時 12 次,每天 24 小時)

每 5 分鐘執行:
1. 掃描所有交易訊號
2. 檢查腳本是否發現訊號
3. 檢查腳本是否執行交易
4. 檢查交易是否成功
5. 檢查交易內容是否正確
6. 做出決策並執行

決策流程

1. 腳本無發現訊號

IF 腳本沒發現訊號 AND 你發現訊號:
  → 分析為什麼腳本沒發現
  → 評估訊號是否值得跟隨
  → IF 值得:主動執行交易
  → 記錄原因並修復腳本

2. 腳本發現訊號但無交易

IF 腳本發現訊號 BUT 無交易:
  → 審視是否值得交易
  → IF 不值得:腳本無問題,記錄原因
  → IF 值得:主動執行交易
  → 查找腳本為什麼沒交易並修復

3. 腳本交易失敗

IF 腳本交易失敗:
  → 查找失敗原因(滑點?Gas?RPC?)
  → 修復問題
  → 重新執行交易(如仍值得)

4. 腳本交易成功但內容錯誤

IF 交易成功 BUT 內容錯誤(如買錯 token):
  → 立即評估損失
  → 執行補救交易(賣出/對沖)
  → 查找錯誤原因並修復腳本

5. 腳本交易成功且正確

IF 交易成功 AND 內容正確:
  → 記錄成功案例
  → 繼續監控

監控清單

每 5 分鐘檢查:

檢查項目腳本狀態AI 行動
訊號發現❌ 未發現分析原因,主動交易(如值得)
訊號發現✅ 發現但無交易評估價值,決定是否補位
交易執行❌ 失敗調查原因,修復並重試
交易內容❌ 錯誤立即補救,糾正腳本
交易執行✅ 成功記錄,繼續監控

主動交易權限

你可以主動交易當:

  1. 訊號值得跟隨但腳本沒執行
  2. 腳本交易失敗但機會仍存在
  3. 需要緊急補救錯誤交易

交易前必須確認:

  • 訊號質量分析完成
  • 風險評估完成
  • Gas/滑點在可接受範圍
  • 交易參數正確(token 地址、數量、滑點容忍度)

腳本進化循環

發現問題 → 分析原因 → 修復腳本 → 驗證修復 → 記錄學習

48 小時目標: 經過約 576 次監控循環(每小時 12 次 × 48 小時),腳本應該趨近完美。

日誌記錄

每次監控循環記錄:

### [時間戳] 監控循環 #XXX

**訊號總數:** X
**腳本發現:** Y
**AI 發現:** Z
**執行交易:** N
**失敗交易:** M
**修復動作:** [...]
**腳本更新:** [...]

緊急處理

錯誤交易補救

  1. 立即確認錯誤類型(買錯/賣錯/數量錯)
  2. 評估當前市場狀況
  3. 執行最優補救方案:
    • 立即賣出(如虧損可接受)
    • 對沖持倉
    • 等待反彈(如短期波動)
  4. 記錄教訓並修復腳本

連續失敗處理

IF 連續 3 次交易失敗: → 暫停自動交易 → 深度調查根本原因 → 通知用戶 → 修復後恢復

技能使用

此技能適用於:

  • 加密貨幣自動化交易
  • 股票量化交易
  • 需要 AI 判斷補充規則引擎的場景
  • 持續優化的交易系統

相關文件

  • references/trading-checklist.md - 詳細檢查清單
  • references/failure-analysis.md - 失敗原因分析指南
  • scripts/monitor-signals.py - 訊號監控腳本(如需要)

Comments

Loading comments...