ClawHub
Skill flagged — suspicious patterns detected

ClawHub Security flagged this skill as suspicious. Review the scan results before using.

Weex

v1.0.1

Automated trading tool for WEEX API, supporting futures and spot trading, including natural language order placement, order cancellation, order query, market...

1· 108·0 current·0 all-time
by@iiiiicooper

Install

OpenClaw Prompt Flow

Install with OpenClaw

Best for remote or guided setup. Copy the exact prompt, then paste it into OpenClaw for iiiiicooper/weex.

Previewing Install & Setup.
Prompt PreviewInstall & Setup
Install the skill "Weex" (iiiiicooper/weex) from ClawHub.
Skill page: https://clawhub.ai/iiiiicooper/weex
Keep the work scoped to this skill only.
After install, inspect the skill metadata and help me finish setup.
Use only the metadata you can verify from ClawHub; do not invent missing requirements.
Ask before making any broader environment changes.

Command Line

CLI Commands

Use the direct CLI path if you want to install manually and keep every step visible.

OpenClaw CLI

Bare skill slug

openclaw skills install weex

ClawHub CLI

Package manager switcher

npx clawhub@latest install weex
Security Scan
VirusTotalVirusTotal
Benign
View report →
OpenClawOpenClaw
Suspicious
medium confidence
Purpose & Capability
Name/description match the included files: the repo contains spot and contract API wrappers, local endpoint definitions, signing docs, and helper scripts — all expected for a WEEX trading skill. However, the registry metadata claims no required environment variables or primary credential while the SKILL.md and code clearly expect WEEX_API_KEY, WEEX_API_SECRET, WEEX_API_PASSPHRASE (and optional WEEX_API_BASE/WEEX_LOCALE). That mismatch is an incoherence in the packaging/metadata.
Instruction Scope
SKILL.md gives concrete commands to run the included Python scripts and documents that private endpoints require env vars. It does not instruct reading arbitrary host files or unrelated credentials. Two concerns: (1) SKILL.md says 'Default flow is direct live execution (no dry-run step)' while also requiring '--confirm-live' for mutating requests — this is ambiguous and could lead to accidental live trades if the agent omits the flag; (2) the agent is expected to translate natural language into CLI flags (the agent layer does this), which gives broad discretion to the agent to craft mutating commands. Both are relevant operational risks for a trading skill but are within the domain of the stated purpose.
Install Mechanism
No install spec; the skill is instruction-only plus Python scripts present. That means nothing is auto-downloaded at install time. The included scripts are local and self-contained; no external arbitrary binary downloads were observed in the manifest.
!
Credentials
The scripts legitimately require API credentials (KEY, SECRET, PASSPHRASE) and optionally base URL/timeout/locale — those are proportionate for a trading integration. The problem is metadata: the registry lists no required env vars or primary credential, while SKILL.md and references clearly require and read env vars. This inconsistency can mislead users or automated gate checks that rely on declared requirements. Also, the skill requests full trading capability (place/cancel orders, adjust margin), so you should use least-privilege keys (no withdrawal permission).
Persistence & Privilege
always is false and there is no install behavior that modifies other skills or system configuration. The skill does not request permanent platform-level privileges. It will run Python scripts when invoked, which is expected for this kind of skill.
What to consider before installing
This skill appears to be a real WEEX trading client (spot + futures) implemented as local Python scripts. Before installing or providing real API credentials: - Treat the registry metadata mismatch as a red flag: SKILL.md and the scripts require WEEX_API_KEY / WEEX_API_SECRET / WEEX_API_PASSPHRASE even though the registry lists none. Don’t rely solely on the registry declarations. - Do not provide your main account keys. Create a least-privilege API key for testing (disable withdrawals; limit permissions to read and trading only if needed). - Inspect the scripts yourself (they are included) to confirm there are no hardcoded exfil endpoints or logging of secrets. The provided files appear to call the weex.com API and fetch docs from weex.com — expected for this skill. - Test in dry-run / sandbox first: manually run the scripts locally with test keys or in a sandbox account to verify behavior. The SKILL.md expects the agent to include --confirm-live for mutating actions; be explicit in prompts and review generated CLI before execution. - Because the agent is responsible for mapping natural language to CLI flags, prefer explicit structured prompts (e.g., specify exact --confirm-live or --no-execute) and review any generated command before it runs. - If you plan to use this in an automated/agent setting, require an explicit confirmation step for any live trade, rotate keys if exposed, and consider running the skill in an isolated environment. If you want a cleaner integration: ask the skill author to update the registry metadata to declare the required env vars and set a primary credential, and to clarify the default/dry-run behavior to avoid ambiguity around live execution.

Like a lobster shell, security has layers — review code before you run it.

latestvk973g0n74hwn0n7bsya3tg675983tmz6
108downloads
1stars
2versions
Updated 1mo ago
v1.0.1
MIT-0
@iiiiicooper
latest
Download

WEEX API

Use:

  • scripts/weex_contract_api.py for contract
  • scripts/weex_spot_api.py for spot

For private endpoints:

export WEEX_API_KEY="..."
export WEEX_API_SECRET="..."
export WEEX_API_PASSPHRASE="..."
export WEEX_API_BASE="https://api-contract.weex.com"
export WEEX_LOCALE="en-US"

Fast Path

# Contract
python3 scripts/weex_contract_api.py list-endpoints --pretty
python3 scripts/weex_contract_api.py ticker --symbol BTCUSDT --pretty
python3 scripts/weex_contract_api.py poll-ticker --symbol BTCUSDT --interval 2 --count 30 --pretty

# Spot
python3 scripts/weex_spot_api.py list-endpoints --pretty
python3 scripts/weex_spot_api.py ticker --symbol BTCUSDT --pretty

Natural Language Order

Natural language is interpreted by the agent layer.
Scripts no longer parse keywords from free text.

The agent must convert user intent into structured fields, then call deterministic commands:

# Contract V3
python3 scripts/weex_contract_api.py place-order \
  --symbol ETHUSDT --side SELL --position-side SHORT --type LIMIT \
  --quantity 0.001 --price 10000 --time-in-force GTC --confirm-live --pretty

# Spot V3
python3 scripts/weex_spot_api.py place-order \
  --symbol ETHUSDT --side BUY --order-type LIMIT \
  --quantity 0.001 --price 999 --time-in-force GTC --confirm-live --pretty

Safety Policy

  • Never send mutating requests without --confirm-live.
  • Default flow is direct live execution (no dry-run step).
  • If instruction is ambiguous or missing fields, ask only for missing fields.

Regenerating API Definitions

Local contract and spot definitions are generated from the live WEEX V3 docs:

python3 scripts/generate_weex_api_definitions.py --product all

References

  • references/spot-endpoints.md
  • references/spot-api-definitions.json (machine-readable local spot interface definitions)
  • references/spot-api-definitions.md (human-readable local spot interface definitions)
  • references/contract-api-definitions.json (machine-readable local interface definitions)
  • references/contract-api-definitions.md (human-readable local interface definitions)
  • references/contract-endpoints.md
  • references/auth-and-signing.md
  • references/websocket.md

Comments

Loading comments...