ClawHub
Skill flagged — suspicious patterns detected

ClawHub Security flagged this skill as suspicious. Review the scan results before using.

Auto Crypto Trader AI

v1.3.0

Automated cryptocurrency trading system powered by AI. Instruct the agent to analyze the market and execute Binance spot trades based on technical indicators.

0· 380·1 current·1 all-time
by@totoxu
Security Scan
VirusTotalVirusTotal
Suspicious
View report →
OpenClawOpenClaw
Suspicious
medium confidence
Purpose & Capability
The skill name/description align with the code and runtime instructions: market analysis and Binance spot trades. Required env vars (BINANCE_API_KEY, BINANCE_SECRET, SKILL_BILLING_API_KEY, SKILL_ID) are consistent with trading + billing. Minor mismatch: registry required binaries list is empty, while SKILL.md and scripts expect python3 and Python dependencies.
Instruction Scope
SKILL.md instructs only to run the included analysis and execution scripts and to present billing links when charge_user returns payment_url. The scripts do not read unrelated system files or exfiltrate data to unexpected endpoints—the network calls are to Binance public API, ccxt -> Binance, and skillpay.me for billing. The agent is allowed to execute real trades if given keys and instruction to trade autonomously, which is expected behavior for this skill but high-risk by nature.
Install Mechanism
No installer downloads or archive extracts are present (instruction-only install). All code is included in the skill bundle; no remote install URLs or package installers are invoked by the skill itself.
!
Credentials
Requesting BINANCE_API_KEY and BINANCE_SECRET is appropriate for trading. However, billing.py contains a hard-coded SKILL_BILLING_API_KEY and a default SKILL_ID value—this embedded credential is a red flag (possible accidental secret leakage or publisher-provided fallback that will be used if the user does not set env vars). billing.charge_user also sends amount=0 in the charge call (contradicting the documented per-call fee), which looks like a logic bug or deliberate no-op. These items reduce transparency about who receives billing events and what the default behavior is when env vars are not set.
Persistence & Privilege
The skill does not request always:true and does not modify other skills or system-wide configs. It requires runtime environment variables to function but does not request elevated or persistent platform privileges.
What to consider before installing
This skill largely does what it says (analyze market data and place Binance spot orders), but proceed cautiously: 1) Do not provide real BINANCE_API_KEY / BINANCE_SECRET until you have fully reviewed and tested the code; use the --testnet flag and Binance testnet API keys first. 2) The billing module includes a hard-coded SKILL_BILLING_API_KEY and default SKILL_ID—confirm the identity and trustworthiness of the publisher (source is unknown) before relying on or allowing billing. 3) Consider whether billing should be enabled at all; you can use the --skip-billing flag when testing, but verify behavior. 4) If you decide to use real keys, create API credentials with minimal permissions (trading-only, withdraw disabled) and be ready to rotate/revoke them. 5) Ask the publisher for provenance (homepage, source repo, or contact) and a justification for the embedded billing key and the zero-amount charge behavior; these are the primary inconsistencies that need explanation. If you cannot confirm those, treat the skill as untrusted and run it only in an isolated/test environment.

Like a lobster shell, security has layers — review code before you run it.

Runtime requirements

EnvSKILL_BILLING_API_KEY, SKILL_ID, BINANCE_API_KEY, BINANCE_SECRET
latestvk979a82cftg8gnksmvres98nps82dhkj
380downloads
0stars
4versions
Updated 6h ago
v1.3.0
MIT-0
@totoxu
latest
Download

Auto Crypto Trader

This skill empowers you, the AI Agent, to act as an autonomous cryptocurrency trader. You can run technical analysis on symbols like BTCUSDT, and based on your findings, execute real market orders on Binance.

Prerequisites

  1. Ensure the user has the Python libraries requests and ccxt installed. If not, tell them to run pip install requests ccxt.
  2. To execute REAL trades, the user MUST provide the BINANCE_API_KEY and BINANCE_SECRET environment variables. You must ask them to set these securely before you execute the trade tool.

Billing (0.001 USDT per call via SkillPay)

This is a paid skill. Every analysis and trade execution call requires the --user USER_ID parameter, which you must fill in for billing tracking. If a call fails with a payment_url, you must show this link to the user and stop trading until they top up.

Tool 1: Analyze Market

When to use: Use this tool to analyze whether the market currently has a strong BUY or SELL signal. You should run this before making any trades.

Command:

python scripts/analyze_market.py --user USER_ID --symbol BTCUSDT --interval 1h

Parameters:

  • --symbol: The trading pair on Binance (no slashes), e.g., BTCUSDT, ETHUSDT
  • --interval: The timeframe (e.g., 15m, 1h, 4h, 1d)
  • --user: The user's ID for billing. Pass the username you're talking to.

Output: Returns current prices, moving averages, RSI, Bollinger Bands, and a boolean action recommendation (BUY, SELL, or HOLD). If the action is BUY and the user told you to trade autonomously, you should proceed to Tool 2.

Tool 2: Execute Trade

When to use: Use this tool when you have verified an opportunity and want to execute a market order on Binance. CRITICAL: You must pass the API keys as environment variables when making this call.

Command:

# Example syntax using cross-platform env vars (on Windows PowerShell, remind user to set $env:BINANCE_API_KEY)
BINANCE_API_KEY="user_key_here" BINANCE_SECRET="user_secret_here" python scripts/execute_trade.py --user USER_ID --symbol BTC/USDT --side buy --amount 0.001

Parameters:

  • --symbol: The trading pair WITH SLASH (e.g., BTC/USDT, NOT BTCUSDT)
  • --side: buy or sell
  • --amount: The quantity of the BASE currency to trade (e.g., 0.001 means 0.001 BTC). You must calculate this properly before trading.
  • --user: The user's ID for billing.
  • --testnet: (Optional flag). Include this if the user wants to test with virtual balances on Binance Testnet first. Highly recommended for first-time use.

Result Validation: The script will return JSON containing "status": "success" and an "order_id" if the trade goes through. If it fails due to authentication or insufficient funds, tell the user exactly what went wrong.

Comments

Loading comments...