Cross Funding Arb

This skill appears to implement the advertised HL+Binance funding-rate arbitrage logic and needs your Hyperliquid private key plus Binance API key/secret — which is expected for a trading bot. However, before installing or running it, consider the following: - Credential exposure: The script will try to read ~/.openclaw/openclaw.json and several ~/.{zeroclaw}/config.toml files to find Discord/Telegram bot tokens if you did not set DISCORD_BOT_TOKEN / TELEGRAM_BOT_TOKEN in the environment. Those files can contain other channels/tokens for other tools; the skill does not declare or explain this fallback behavior. If you store tokens in those files, the skill may use them. - Minimize risk: Use an Agent Wallet or a Hyperliquid key with minimal permissions rather than your main hot wallet. For Binance, prefer an API key with only trading permissions needed and restrict IPs if possible. Do not supply credentials with withdrawal/transfer rights. - Opt-out the fallback: To avoid the skill reading daemon configs, set DISCORD_BOT_TOKEN, DISCORD_CHANNEL_ID, TELEGRAM_BOT_TOKEN, and TELEGRAM_CHAT_ID explicitly in the skill's .env, or run the skill in a dedicated account/user without those global daemon config files. - Audit & test: Review references/cross_funding.py yourself (it is included) to confirm notification endpoints and any other network calls. Test in testnet modes (HL_TESTNET, BINANCE_TESTNET) and run with very small budgets or simulated accounts first. - Operational safety: The README suggests pip installing dependencies; run that in an isolated virtualenv. Verify that state files are stored where you expect (STATE_DIR) and that logging/notifications go only to destinations you control. If you need help identifying what tokens/configs you have under ~/.openclaw or ~/.zeroclaw, or want guidance to run this safely in a sandbox, I can help with exact commands and checks.