v2.8.0

Cross Funding Arb

ReviewClawScan verdict for this skill. Analyzed May 1, 2026, 8:22 AM.

Analysis

This is a coherent but high-impact autonomous crypto-futures trading bot that can use real exchange secrets, run on a schedule, and place or close trades without per-trade confirmation.

GuidanceInstall only if you intentionally want an autonomous live crypto-futures trading bot. Start on testnet, use restricted trading-only credentials, set explicit small budgets instead of relying on balance auto-detection, review notification destinations, pin dependencies, and do not enable the five-minute cron job until you are comfortable monitoring and stopping it.

Findings (8)

Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.

Abnormal behavior control

Checks for instructions or behavior that redirect the agent, misuse tools, execute unexpected code, cascade across systems, exploit user trust, or continue outside the intended task.

Tool Misuse and Exploitation

SeverityHighConfidenceHighStatusConcern

SKILL.md

Step 4: Atomic Execution ... 两所设杠杆 ... 先下 HL 单 ... 再下 Binance 单 ... Binance 失败 → 自动回滚 HL 腿

The skill explicitly performs high-impact exchange actions: setting leverage, placing futures orders, and rolling back/closing positions.

User impactIf enabled against live accounts, the skill can create real leveraged crypto-futures positions and losses without a separate approval for each trade.

RecommendationUse testnet first, set explicit small budgets, avoid default balance-based sizing, and require manual review before enabling live automated ticks.

Rogue Agents

SeverityHighConfidenceHighStatusConcern

README.md

openclaw cron add ... --cron "*/5 * * * *" ... --system-event "cd $SKILL_DIR && ... python3 cross_funding.py tick"

The deployment instructions set up recurring autonomous execution every five minutes for a financial trading workflow.

User impactThe bot can continue trading, closing, or switching positions on a schedule until the cron job is disabled.

RecommendationDo not install the cron job until the strategy is tested; document how to stop it, monitor logs, and use account-level limits.

Human-Agent Trust Exploitation

SeverityMediumConfidenceMediumStatusConcern

README.md

原子开仓：先 HL 后 Binance，失败自动回滚，无单腿裸露风险

The wording claims no single-leg exposure, but the described design is sequential and relies on rollback after a later leg fails, so residual execution and market risk still exists.

User impactUsers may underestimate the possibility of temporary unhedged exposure or losses during failed or partial execution.

RecommendationDescribe the workflow as best-effort rollback rather than truly atomic, and document residual slippage, liquidity, API failure, and rollback-loss scenarios.

Agentic Supply Chain Vulnerabilities

SeverityLowConfidenceHighStatusNote

references/requirements.txt

hyperliquid-python-sdk>=0.21.0
eth-account>=0.13.7
python-dotenv>=1.0.0
requests>=2.31.0

The dependencies are lower-bound version ranges rather than pinned exact versions or hashes.

User impactFuture dependency updates could change behavior in a bot that handles exchange credentials and trading actions.

RecommendationPin exact dependency versions, review package provenance, and use a locked environment for live trading.

Permission boundary

Checks whether tool use, credentials, dependencies, identity, account access, or inter-agent boundaries are broader than the stated purpose.

Identity and Privilege Abuse

SeverityHighConfidenceHighStatusNote

SKILL.md

`HL_PRIVATE_KEY` | ✅ | Hyperliquid 私钥（主账户或 Agent Wallet） ... `BINANCE_API_KEY` | ✅ ... `BINANCE_SECRET_KEY` | ✅

The required credentials are real exchange signing/API secrets with trading authority; this is purpose-aligned but highly sensitive.

User impactCompromise or misuse of these credentials could allow unauthorized trading on the connected accounts.

RecommendationPrefer a Hyperliquid Agent Wallet, use Binance keys with trading-only permissions, disable withdrawals, enable IP restrictions where possible, and rotate keys if testing is shared.

Identity and Privilege Abuse

SeverityMediumConfidenceHighStatusConcern

references/cross_funding.py

oc_path = Path.home() / ".openclaw" / "openclaw.json" ... cfg_path = Path.home() / f".{instance}" / "config.toml" ... Discord bot token: env > first available daemon config

The code falls back to reading local OpenClaw/ZeroClaw daemon configuration files to obtain Discord/Telegram bot tokens, which is broader than simply using explicitly provided environment variables.

User impactThe skill may gain access to notification bot credentials from global local configs that the user did not intend to grant to this strategy.

RecommendationRequire notification tokens to be passed explicitly via environment variables, or clearly declare and document the local config paths and token fallback behavior.

Sensitive data protection

Checks for exposed credentials, poisoned memory or context, unclear communication boundaries, or sensitive data that could leave the user's control.

Insecure Inter-Agent Communication

SeverityMediumConfidenceHighStatusNote

SKILL.md

`hourly_pulse` | 每小时（持仓中） ... 两所余额, 费率, Spread, PnL

The notification feature can send exchange balances, rates, spreads, and PnL to Discord or Telegram channels.

User impactFinancial position and performance information may be shared to third-party chat services or channels configured for the bot.

RecommendationUse private channels, verify channel/chat IDs, and avoid enabling notifications in shared workspaces unless all recipients should see trading data.

Memory and Context Poisoning

SeverityLowConfidenceHighStatusNote

references/cross_funding.py

def state_dir() -> Path: ... return Path(d) if d else SCRIPT_DIR ... def save_state(name: str, data: dict) ... json.dumps(data, indent=2

The bot stores persistent JSON state in the skill directory or STATE_DIR, and the strategy documentation says it saves position and balance state.

User impactLocal state files may contain trading state and could influence later ticks if edited or corrupted.

RecommendationStore state in a protected directory, restrict filesystem permissions, back it up carefully, and avoid sharing it in logs or support requests.