Orderly Trading Orders
Security checks across static analysis, malware telemetry, and agentic risk
Overview
The skill is coherently about Orderly trading, but it enables high-impact financial order placement using trading credentials without clear approval, scope, or credential declarations.
Install only if you intend to let the agent help with Orderly trading workflows. Do not provide live trading keys unless you have strict account limits, are ready to confirm every order manually, and understand that incorrect automated or batch trading actions can cause real financial loss.
Static analysis
No static analysis findings were reported for this release.
VirusTotal
VirusTotal findings are pending for this skill version.
Risk analysis
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
If used with valid credentials, an agent or generated code could place trades that may cause financial loss.
The skill documents direct authenticated calls to place trading orders. That is purpose-aligned, but it is a high-impact financial action and the visible instructions do not require explicit user approval or bounded order limits before submission.
POST /v1/order ... fetch('https://api.orderly.org/v1/order', { method: 'POST', ... body, })Require explicit user confirmation for each order, including symbol, side, order type, price, quantity, maximum notional value, and whether the request is live or testnet.
Users may not realize before installation that the skill expects credentials capable of placing or changing live trades.
A trading-scope API key grants authority to mutate a financial account. The registry metadata separately declares no primary credential or required environment variables, so the credential expectation is under-declared at the package level.
- Ed25519 API key with `trading` scope
Declare the credential requirement in metadata, document exactly how keys should be provided and protected, and recommend least-privilege keys, subaccounts, restricted permissions, and key rotation.
A mistake could propagate into repeated or batch trades before the user notices.
Automated trading and the described batch/order-management purpose can amplify a single bad prompt, bug, or strategy error into many financial actions. The visible artifact does not define containment such as rate limits, dry-run mode, position limits, or kill switches.
- Creating automated trading bots
Use sandbox testing first, require human review for automated or batch strategies, set exchange/API-side order and notional limits, and provide an emergency cancellation/disable procedure.