Back to skill
Skillv2.0.5
ClawScan security
Openclaw Skill · ClawHub's context-aware review of the artifact, metadata, and declared behavior.
Scanner verdict
BenignMar 5, 2026, 1:42 PM
- Verdict
- benign
- Confidence
- medium
- Model
- gpt-5-mini
- Summary
- The skill's code, requirements, and install steps are coherent with a prob.trade analytics + trading integration; no obvious exfiltration or unrelated privileges are present, though there are small documentation inconsistencies you should be aware of.
- Guidance
- This skill appears to be what it claims: a Python-based client for prob.trade analytics and trading. Before installing, confirm you trust prob.trade (https://app.prob.trade) and are comfortable granting it an API key and secret. Notes: - The skill stores/reads keys from ~/.openclaw/skills/probtrade/config.yaml or from PROBTRADE_API_KEY / PROBTRADE_API_SECRET; the code signs requests locally using HMAC and does not send the secret in requests (only the signature and the public key header). - SKILL.md/README contain minor contradictions about whether analytics endpoints need auth; the implementation handles both modes. If you expect unauthenticated analytics, you can omit keys and the code will call public endpoints without signing. - Source owner is an unknown registry ID; if provenance matters, prefer installing from an authoritative source (prob.trade or a verified ClawHub repo) or review the shipped files yourself (they are small and readable). If you're concerned, run the skill in a restricted/sandboxed environment or inspect network traffic to confirm requests go only to api.prob.trade/app.prob.trade. - You can revoke API keys from the prob.trade dashboard if needed.
Review Dimensions
- Purpose & Capability
- okName/description match the actual code and dependencies: a Python CLI that queries prob.trade public and trading APIs and places orders. Required binary (python3), required env vars (PROBTRADE_API_KEY, PROBTRADE_API_SECRET), and the documented config path are all relevant to the stated purpose.
- Instruction Scope
- noteRuntime instructions ask you to store API key/secret in ~/.openclaw/skills/probtrade/config.yaml or env vars and to run the included Python scripts. The SKILL.md has contradictory statements about whether analytics endpoints require auth (some places say 'public API (no auth)' while other places and the Setup section state 'All commands require a prob.trade API key'). The code supports both (it will sign requests if keys are present), but the documentation inconsistency is worth noting.
- Install Mechanism
- okInstall spec only pulls a known package (brew formula python@3 to provide python3). No downloads from unknown hosts or archives; code is included in the skill bundle. This is low-risk for installation mechanism.
- Credentials
- okThe skill requires an API key and secret for trading; these are used to compute local HMAC signatures. The declared env vars exactly match what's used in code. No unrelated credentials (AWS, GitHub, etc.) are requested. The skill also reads a config file in the skill directory and ~/.openclaw/skills/probtrade/config.yaml as expected.
- Persistence & Privilege
- okalways is false, the skill does not request system-wide config changes, and it only reads its own config path. It does not modify other skills or system settings.