NOFX AI Trading
WarnAudited by ClawScan on May 10, 2026.
Overview
This skill is for real crypto trading and can use trading keys or logged-in browser sessions to activate bots, so it needs careful review before use.
Install only if you intentionally want an agent to help manage a crypto-trading platform. Use test accounts or sub-accounts, disable withdrawals, limit API permissions, require explicit confirmation before live trading actions, and review the remote install script before running it.
Findings (6)
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
A user could unintentionally authorize a live trading strategy or bot action from a casual request, risking financial loss.
The skill tells the agent to turn a natural-language strategy into an activated trading strategy, which can cause real financial trades if connected to an exchange.
When user describes a strategy in natural language: ... Create new strategy and fill in fields ... Save and activate
Require explicit user confirmation before saving, activating, starting, stopping, or changing any trader or strategy; prefer backtesting or dry-run mode first.
If these keys are misused or over-scoped, automated actions could trade on the user's exchange accounts.
The exchange setup asks for API credentials with trading permissions, which are high-impact account privileges and can place orders with user funds.
Enable permissions: - ✅ Read - ✅ Spot & Margin Trading - ✅ Futures Trading
Use testnet or isolated sub-accounts, disable withdrawals, enable IP whitelisting, set strict limits, and only grant the minimum permissions needed.
The agent may act with the same authority as the logged-in user on the trading dashboard.
The agent is expected to use a logged-in browser profile, giving it the user's active NOFX web session for account and trader operations.
Browser profile `clawd` should be logged into nofxai.com - Use `browser` tool with `profile: "clawd"`
Use a dedicated low-privilege browser profile and require confirmation before any account-changing action.
Installing or updating this way runs whatever code is currently served from that repository.
The deployment guide recommends executing an unpinned remote script from the current GitHub main branch; this is user-directed setup, but it has supply-chain risk.
curl -fsSL https://raw.githubusercontent.com/NoFxAiOS/nofx/main/install.sh | bash
Review the script before running it, prefer pinned releases or checksums, and avoid installing it on systems that hold unrelated sensitive data.
Reports may continue running and sending notifications after initial setup until the schedule is removed.
The skill documents a recurring scheduled agent task that generates and sends market reports every 30 minutes.
"schedule": {"kind": "cron", "expr": "*/30 * * * *"}, ... "kind": "agentTurn", ... "deliver": true, "channel": "telegram"Only enable scheduled reports intentionally, verify the recipient, and know how to disable the cron job.
Account performance or trading information could be exposed to third-party chat systems or webhook endpoints configured by the user.
The notification guide supports sending trading and P&L information to external messaging or webhook services.
Supported Notification Channels ... Telegram ... Discord ... Slack ... Custom ... P&L Report Template ... Equity: ${equity}\nP&L: ${pnl}Send reports only to trusted private channels, protect webhook URLs and bot tokens, and avoid including sensitive account details unless necessary.