ClawHub
Skill flagged — suspicious patterns detected

ClawHub Security flagged this skill as suspicious. Review the scan results before using.

Upbit Trading Skill

Upbit 실시간 트레이딩 봇 - GLM AI 분석, 기술지표, 자동매매

MIT-0 · Free to use, modify, and redistribute. No attribution required.
0 · 1.8k · 4 current installs · 4 all-time installs
by@smeuse-dev
MIT-0
Security Scan
VirusTotalVirusTotal
Suspicious
View report →
OpenClawOpenClaw
Suspicious
high confidence
!
Purpose & Capability
The SKILL.md and code claim an Upbit trading bot. However the registry metadata lists no required environment variables while the README instructs the user to set UPBIT_ACCESS_KEY and UPBIT_SECRET_KEY (used by balance.js). The README also mentions Telegram alerts and an analyze.js file which are not present in the manifest/source. The presence of an external GLM invocation via a local ../zai/ask.sh (in realtime-bot.js) is not documented in the metadata or install instructions. These discrepancies mean the declared purpose does not fully align with what the code requires and executes.
!
Instruction Scope
SKILL.md tells the user to set .env with Upbit keys and run node realtime-bot.js. balance.js reads .env, but realtime-bot.js does not load .env (it uses only public ticker endpoints). The bot writes and reads local files (positions.json, events.json, trade_log.json) which could be manipulated by an attacker. realtime-bot.js executes an external script (cd ../zai && ./ask.sh ...) and passes constructed prompt text to the shell — this grants the skill the ability to run arbitrary local code and there is an injection surface where prompt content can contain shell metacharacters. The docs also promise features (Telegram alerts, analyze.js) that are not implemented in the provided code.
!
Install Mechanism
There is no install spec (instruction-only), which is lower risk generally, but realtime-bot.js relies on an external local script at ../zai/ask.sh and expects a local GLM runtime (glm-4.7). Running the skill will attempt to execute that external script if present; that effectively pulls arbitrary code execution into the bot's runtime even though nothing in metadata declares or packages that dependency.
!
Credentials
Registry metadata shows no required env vars, yet SKILL.md instructs users to set UPBIT_ACCESS_KEY and UPBIT_SECRET_KEY (and optionally a GLM API key). balance.js reads UPBIT_ACCESS_KEY and UPBIT_SECRET_KEY from .env and uses them to sign JWTs — consistent with Upbit APIs, but the missing declaration is an incoherence. The optional GLM API key is mentioned but the code does not read it (it uses a local ask.sh instead), so environment/credential guidance is inconsistent and under-specified.
Persistence & Privilege
The skill does not request always:true and does not modify other skills or system-wide settings. It persists and reads files in its directory (positions.json, events.json, events.json, trade_log.json) which is typical for a bot, but these files can be manipulated and are used to build prompts passed to an external shell script — increasing the blast radius if local files are untrusted.
What to consider before installing
This skill is internally inconsistent and presents a shell-execution risk. Before installing or running it: 1) Do not run it on a machine with sensitive data or credentials until you audit the code and the ../zai/ask.sh script it calls; that script will be executed by the bot. 2) Treat positions.json/events.json as untrusted input — an attacker who can edit those files could inject shell metacharacters into prompts that are passed to ask.sh, enabling command injection. 3) The package metadata omitted required env vars (UPBIT_ACCESS_KEY / UPBIT_SECRET_KEY) — expect to provide API keys for Upbit; store them securely. 4) The README promises Telegram alerts and an analyze.js file that are missing — contact the author or require corrected source before using for live trading. 5) If you want to proceed, fix the code first: remove execSync use or pass arguments safely (avoid shell interpolation), sanitize any data read from local files before embedding in shell commands, explicitly declare required env vars in metadata, and ensure all external dependencies (ask.sh, GLM runtime) are known and trustworthy. If you cannot verify those points, do not run this skill with real API keys or on production systems.

Like a lobster shell, security has layers — review code before you run it.

Current versionv1.0.0
Download zip
latestvk97625vme6spk9s048kvra7xhn80gdx1

License

MIT-0
Free to use, modify, and redistribute. No attribution required.
Termshttps://spdx.org/licenses/MIT-0.html

SKILL.md

Upbit Trading Bot 🚀

AI 기반 실시간 암호화폐 트레이딩 봇

Features

  • 📊 기술 지표: RSI, MACD, Bollinger Bands, MA/EMA
  • 🤖 AI 분석: GLM-4.7 실시간 시장 분석
  • 10초 모니터링: 빠른 가격 체크
  • 🎯 자동 목표/손절: 설정 가능한 TP/SL
  • 📱 텔레그램 알림: 실시간 이벤트 알림

Setup

  1. Upbit API 키 발급 (https://upbit.com/mypage/open_api_management)
  2. 환경변수 설정:
cp .env.example .env
# UPBIT_ACCESS_KEY, UPBIT_SECRET_KEY 입력
  1. 실행:
node realtime-bot.js

Requirements

  • Node.js 18+
  • Upbit 계정 & API 키
  • (선택) GLM API 키 for AI 분석

Files

  • realtime-bot.js - 메인 봇
  • indicators.js - 기술 지표 계산
  • analyze.js - 시장 분석
  • balance.js - 잔고 확인

License

MIT - 자유롭게 사용 및 수정 가능

Files

4 total
Select a file
Select a file to preview.

Comments

Loading comments…