ClawHub
Skill flagged — suspicious patterns detected

ClawHub Security flagged this skill as suspicious. Review the scan results before using.

Ccxt Crypto Api

v0.3.3

CCXT 库统一封装全球主流加密货币交易所的交易 API,支持订单管理、市场行情查询、账户余额监控与自动化借贷等核心操作。

0· 63·0 current·0 all-time
byTang Weigang@tangweigang-jpg

Install

OpenClaw Prompt Flow

Install with OpenClaw

Best for remote or guided setup. Copy the exact prompt, then paste it into OpenClaw for tangweigang-jpg/ccxt-crypto-api.

Previewing Install & Setup.
Prompt PreviewInstall & Setup
Install the skill "Ccxt Crypto Api" (tangweigang-jpg/ccxt-crypto-api) from ClawHub.
Skill page: https://clawhub.ai/tangweigang-jpg/ccxt-crypto-api
Keep the work scoped to this skill only.
After install, inspect the skill metadata and help me finish setup.
Use only the metadata you can verify from ClawHub; do not invent missing requirements.
Ask before making any broader environment changes.

Command Line

CLI Commands

Use the direct CLI path if you want to install manually and keep every step visible.

OpenClaw CLI

Canonical install target

openclaw skills install tangweigang-jpg/ccxt-crypto-api

ClawHub CLI

Package manager switcher

npx clawhub@latest install ccxt-crypto-api
Security Scan
Capability signals
CryptoRequires walletCan make purchasesRequires sensitive credentials
These labels describe what authority the skill may exercise. They are separate from suspicious or malicious moderation verdicts.
VirusTotalVirusTotal
Benign
View report →
OpenClawOpenClaw
Suspicious
medium confidence
!
Purpose & Capability
The name/description advertise a CCXT crypto-trading API, including placing orders and monitoring balances. However the SKILL.md and reference files repeatedly mention ZVT (an A-share/backtesting toolkit), A-share use-cases, and preconditions that import and test zvt. The skill does not declare required exchange API keys or credentials even though many listed use cases perform authenticated trading. These items do not align: a pure CCXT trading helper would normally declare or request API key secrets and not require zvt for basic exchange operations.
!
Instruction Scope
Runtime instructions force reads of local artifacts (seed.yaml) and list preconditions that run python -c checks to import zvt, verify zvt version, ensure ZVT_HOME exists, and attempt to write a test file in that directory. The execution_protocol in seed.yaml also instructs running install recipes and reloading seed.yaml before any behavioral decision. Those checks operate on the agent host environment and may trigger package installs or filesystem writes; they are broader than what a simple CCXT wrapper should need. The SKILL.md also instructs the agent to enforce many domain locks (fatal constraints) which broaden runtime behavior.
Install Mechanism
There is no declared install spec (instruction-only), which is low risk. However the SKILL.md/seed.yaml assume a Python 3.12+ environment and reference running pip installs and host install_recipes. The absence of a formal install step but presence of procedural install instructions is an inconsistency—the agent may attempt to run package installs at runtime despite no install manifest being provided.
!
Credentials
The skill declares no required environment variables or primary credentials, yet its stated capabilities include authenticated exchange operations (orders, account monitoring) that normally require API keys and secrets. The SKILL.md references ZVT_HOME and preconditions check that env var; this env var is not declared in requires.env. The mismatch—no declared API credentials but expectation of exchange operations and local environment checks—indicates disproportionate or undocumented environment access.
Persistence & Privilege
always is false and the skill does not request permanent platform-level privileges. There is no evidence it modifies other skills' configurations. The main risk is procedural: the skill's runtime instructions may run package installs or write to ZVT_HOME, but that is scoped to host actions and not a persistent privilege flag in the registry.
What to consider before installing
This skill is internally inconsistent and should be reviewed before use. Specific things to consider: - Clarify purpose with the author: is this a CCXT exchange wrapper or a ZVT-driven backtest pipeline? The SKILL.md mixes both. - Do NOT run this against real exchange accounts until you verify where and how API keys are used. The skill lists trading use cases but does not declare or document required API_KEY/TOKEN variables—if you provide keys, scope them to read-only or limited test accounts and use exchange sandbox environments. - The runtime instructions run Python commands that check/import zvt, validate ZVT_HOME, and may instruct package installs or create files. Run in an isolated environment (container or VM) first, and inspect seed.yaml and references/ files offline to confirm behavior. - If you plan to run authenticated operations, request explicit documentation of required credentials and how they are used; prefer ephemeral or least-privilege keys. - If you want this skill for only CCXT-based exchange interactions, ask the maintainer to remove unrelated ZVT preconditions and to explicitly declare required env vars (API keys) and any install steps. What would change this assessment: confirmation from the publisher that the reference ZVT checks are incidental (e.g., artifact from blueprint compilation) and will be removed, or an updated SKILL.md that explicitly declares required exchange credentials and a minimal, consistent set of preconditions. If such clarifications are provided, confidence could move to benign. Without that, the mixing of domains and undocumented environment access makes this suspicious.

Like a lobster shell, security has layers — review code before you run it.

cryptovk972wkadfmtf7b863qh8gawj7185caegdoramagic-crystalvk972wkadfmtf7b863qh8gawj7185caegfinancevk972wkadfmtf7b863qh8gawj7185caeglatestvk972wkadfmtf7b863qh8gawj7185caeg
63downloads
0stars
4versions
Updated 3d ago
v0.3.3
MIT-0
Tang Weigang@tangweigang-jpg
cryptodoramagic-crystalfinancelatest
Download

CCXT 加密交易接口 (ccxt-crypto-api)

CCXT 库统一封装全球主流加密货币交易所的交易 API,支持订单管理、市场行情查询、账户余额监控与自动化借贷等核心操作。

Pipeline

data_collection -> data_storage -> factor_computation -> target_selection -> trading_execution -> visualization

Top Use Cases (100 total)

Bitfinex fUST Lending Bot (UC-101)

Automates cryptocurrency lending on Bitfinex by checking for lending opportunities and executing market orders to deploy funds into lending markets Triggers: lending, bot, bitfinex

Cross-Exchange Spot Arbitrage Bot (UC-102)

Scans multiple exchanges (OKX, Bybit, Binance, KuCoin, BitMart, Gate.io) for price discrepancies in spot markets and executes arbitrage trades Triggers: arbitrage, spot trading, cross-exchange

Binance Create and Cancel Order (UC-103)

Demonstrates creating a limit order on Binance and then canceling it, useful for testing order workflows Triggers: create order, cancel order, binance

For all 100 use cases, see references/USE_CASES.md.

Execute trigger: When user intent matches intent_router.uc_entries[].positive_terms AND user uses action verb (run/execute/跑/执行/backtest/fetch/collect)

What I'll Ask You

  • Target market: A-share (default), HK, or crypto? (US stocks in ZVT are half-baked — stockus_nasdaq_AAPL exists but coverage is thin)
  • Data source / provider: eastmoney (free, no account), joinquant (account+paid), baostock (free, good history), akshare, or qmt (broker)?
  • Strategy type: MACD golden-cross, MA crossover, volume breakout, fundamental screen, or custom factor?
  • Time range: start_timestamp and end_timestamp for backtest period
  • Target entity IDs: specific stocks (stock_sh_600000) or index components (SZ1000)?

Semantic Locks (Fatal)

IDRuleOn Violation
SL-01Execute sell orders before buy orders in every trading cyclehalt
SL-02Trading signals MUST use next-bar execution (no look-ahead)halt
SL-03Entity IDs MUST follow format entity_type_exchange_codehalt
SL-04DataFrame index MUST be MultiIndex (entity_id, timestamp)halt
SL-05TradingSignal MUST have EXACTLY ONE of: position_pct, order_money, order_amounthalt
SL-06filter_result column semantics: True=BUY, False=SELL, None/NaN=NO ACTIONhalt
SL-07Transformer MUST run BEFORE Accumulator in factor pipelinehalt
SL-08MACD parameters locked: fast=12, slow=26, signal=9halt

Full lock definitions: references/LOCKS.md

Top Anti-Patterns (13 total)

  • AP-CRYPTO-TRADING-001: Float Arithmetic for Monetary Values
  • AP-CRYPTO-TRADING-002: Missing Market Initialization Before Access
  • AP-CRYPTO-TRADING-003: Bypassing API Facade Layer

All 13 anti-patterns: references/ANTI_PATTERNS.md

Evidence Quality Notice

[QUALITY NOTICE] This crystal was compiled from blueprint finance-bp-111. Evidence verify ratio = 60.5% and audit fail total = 9. Generated results may have uncaptured requirement gaps. Verify critical decisions against source files (LATEST.yaml / LATEST.jsonl).

Reference Files

FileContentsWhen to Load
references/seed.yamlV6+ 全量权威 (source-of-truth)有行为/决策争议时必读
references/ANTI_PATTERNS.md13 条跨项目反模式开始实现前
references/WISDOM.md跨项目精华借鉴架构决策时
references/CONSTRAINTS.mddomain + fatal 约束规则冲突时
references/USE_CASES.md全量 KUC-* 业务场景需要完整示例时
references/LOCKS.mdSL-* + preconditions + hints生成回测/交易代码前
references/COMPONENTS.mdAST 组件地图(按 module 拆分)查 API 时

Compiled by Doramagic crystal-compilation-v6.1 from finance-bp-111 blueprint at 2026-04-22T13:00:53.651332+00:00. See human_summary.md for non-technical overview.

Comments

Loading comments...