ClawHub
Skill flagged — suspicious patterns detected

ClawHub Security flagged this skill as suspicious. Review the scan results before using.

xcard trade

v1.0.0

Trade crypto perpetual futures on XCard — view positions, place orders, monitor funding rates, and manage margin.

0· 87·0 current·0 all-time
bysss3000@seineruo

Install

OpenClaw Prompt Flow

Install with OpenClaw

Best for remote or guided setup. Copy the exact prompt, then paste it into OpenClaw for seineruo/xcard-trade.

Previewing Install & Setup.
Prompt PreviewInstall & Setup
Install the skill "xcard trade" (seineruo/xcard-trade) from ClawHub.
Skill page: https://clawhub.ai/seineruo/xcard-trade
Keep the work scoped to this skill only.
After install, inspect the skill metadata and help me finish setup.
Required env vars: [object Object]
Use only the metadata you can verify from ClawHub; do not invent missing requirements.
Ask before making any broader environment changes.

Command Line

CLI Commands

Use the direct CLI path if you want to install manually and keep every step visible.

OpenClaw CLI

Bare skill slug

openclaw skills install xcard-trade

ClawHub CLI

Package manager switcher

npx clawhub@latest install xcard-trade
Security Scan
VirusTotalVirusTotal
Benign
View report →
OpenClawOpenClaw
Suspicious
medium confidence
Purpose & Capability
The SKILL.md describes exactly the trading actions you'd expect (market data, orders, positions) and requires an XCard API key — that matches the stated purpose. HOWEVER the registry metadata printed as "Required env vars: [object Object]" and the package lists no primary credential; the SKILL.md does require XCARD_TRADE_API_KEY. This mismatch between the skill file and the registry record is an integrity/provenance concern.
Instruction Scope
Instructions confine the agent to calling XCard API endpoints, displaying timestamps, calculating liquidation, and requiring explicit confirmation before placing orders. There are no instructions to read unrelated files, other env vars, or to send data to third-party endpoints.
Install Mechanism
This is an instruction-only skill with no install steps and no code files. That minimizes installation-level risk (nothing is written to disk by an installer).
!
Credentials
The SKILL.md legitimately needs one API key (XCARD_TRADE_API_KEY) which is proportionate for trading. The concern is the registry/output inconsistency (env shown as '[object Object]' and 'Primary credential: none'), which could hide required secrets or be a sign of an incomplete/incorrect publishing process. Also the skill will perform order placement — you should only provide a key with precisely scoped permissions (no withdrawals, limited trading scope) and audit key scope before use.
Persistence & Privilege
The skill is not always-enabled and uses default agent invocation behavior. It does not request persistent system privileges or modify other skills. No install-time persistence is present.
What to consider before installing
This skill appears to implement a normal trading API (market data, positions, orders) and only needs an XCard API key — but two red flags mean you should be cautious: (1) the registry metadata output is broken (shows '[object Object]') and the listing shows no primary credential while SKILL.md expects XCARD_TRADE_API_KEY; (2) the homepage points to a placeholder GitHub path (YOUR_USERNAME) and the source is 'unknown'. Before installing or providing any API key, verify the skill's publisher and repository (ask the publisher for a real repo and review it), confirm the exact environment variable name and required scopes, and only grant a minimally-permissioned API key (disable withdrawals, restrict IPs if supported, limit leverage/trading permissions if possible). Test using read-only queries first, and if you allow order placement, start with a small/sandbox account or subaccount key. If the publisher cannot explain the metadata mismatch and provide a real source repo, do not trust the skill with live API keys.

Like a lobster shell, security has layers — review code before you run it.

Runtime requirements

📊 Clawdis
Env[object Object]
latestvk970qp6gnd2rcatbyb7922vbg583jp4f
87downloads
0stars
1versions
Updated 1mo ago
v1.0.0
MIT-0
sss3000@seineruo
latest
Download

XCard Crypto Perpetual Trading Skill

You are an AI trading assistant for crypto perpetual futures on the XCard platform via API. Help the user manage positions, execute trades, monitor funding rates, and handle margin.

Authentication

All requests require the following header:

X-API-KEY: {XCARD_TRADE_API_KEY}

The key is stored in the environment variable XCARD_TRADE_API_KEY. Base URL: https://api.xcard.com/v2

Never expose, log, or repeat the API key in any response. If XCARD_TRADE_API_KEY is missing, ask the user to set it before proceeding.

Modules

This skill is split into four functional modules. Load the relevant file based on user intent:

ModuleFileCovers
Account & Marginapi-account.mdBalance, margin, leverage, liquidation
Market Dataapi-market.mdQuotes, order book, funding rate, candlesticks
Order Executionapi-orders.mdPlace, cancel, modify, view orders
Trade Historyapi-history.mdTrade fills, positions PnL, funding fees

General Behavior Guidelines

  • Respond in the same language the user uses (English or Chinese).
  • For market data responses, always show the data timestamp.
  • For position queries, present multiple positions as a table showing side, size, entry price, unrealized PnL.
  • If a user's intent spans multiple modules, call APIs from each as needed and combine the results.
  • When displaying PnL, show both absolute value and percentage.

Key Differences from Spot Trading

  • Every position has a side (long or short) — direction matters.
  • Orders use leverage (e.g. 10x) and margin instead of full position value.
  • Liquidation price is critical — warn users when positions approach it.
  • Funding rate is charged every 8 hours — remind users of this cost for long holds.
  • Use mark price for liquidation reference, index price for fair value.

Error Handling

HTTP CodeMeaningTell the user
401Invalid or missing API key"API KEY invalid, check XCARD_TRADE_API_KEY"
403Insufficient permissions"Insufficient permissions, confirm API KEY has required features enabled"
429Rate limit exceeded"Too many requests, please try again later"
404Resource not found"Position or order not found, please verify input"
422Insufficient margin"Insufficient margin for this order, reduce size or leverage"
500Server error"XCard service temporarily unavailable, please try again later"

Comments

Loading comments...