BTC/ETH AI Trader
PassAudited by VirusTotal on May 7, 2026.
Overview
Type: OpenClaw Skill Name: btc-eth-ai-signal Version: 1.0.1 The skill bundle is a legitimate cryptocurrency trading analysis tool that fetches market data from CoinEx and Gate.io and pushes reports to user-configured messaging platforms (Feishu, Telegram, Discord, WeCom). The code in scripts/advise.py, scripts/check.py, and scripts/push.py is transparent, lacks obfuscation, and contains no evidence of data exfiltration, malicious execution, or harmful prompt injection.
Findings (0)
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
If these credentials or webhooks leak, someone else could send messages through the configured app, bot, or webhook.
The skill expects users to place messaging app secrets, bot tokens, and webhook URLs in config.json so it can send reports. This is purpose-aligned, but these values are credentials with message-posting authority.
"secret": "your_feishu_app_secret", "bot_token": "", "webhook_url": ""
Use dedicated low-privilege bots or webhooks, restrict recipients, keep config.json private, and rotate any exposed tokens.
If enabled, the skill may continue sending trading reports to configured channels on a schedule.
The README documents a user-added cron schedule that would run the push script every 30 minutes. This is disclosed and user-directed, but it creates ongoing automated activity until disabled.
*/30 * * * * cd /path/to && PYTHONPATH=. python3 scripts/push.py
Only add the cron job if you want recurring notifications, monitor where messages go, and remove the cron entry when no longer needed.
Running the analysis may contact GateIO as well as CoinEx, which affects network exposure and reliability expectations.
The docs emphasize CoinEx as the data source, but the code also contacts GateIO for public funding-rate data. This does not send user credentials, but it is an additional external dependency users may not expect.
urllib.request.urlopen("https://api.gateio.ws/api/v4/futures/usdt/tickers?contract=BTC_USDT", timeout=5)Document all external data sources and avoid running the skill in environments where that outbound API call is not acceptable.
The visible code appears coherent, but the review has less assurance than it would with the complete file contents visible.
The provided artifact view marks scripts/advise.py as truncated, so this review could not inspect every line shown in that file, even though the static scan reported no suspicious patterns.
"truncated": true
Review the full scripts/advise.py source locally before installation or scheduled use.