ClawHub
Skill flagged — suspicious patterns detected

ClawHub Security flagged this skill as suspicious. Review the scan results before using.

Standx Cli

v0.5.0

Crypto trading CLI for StandX exchange v0.3.5. Use when users need to: (1) Query crypto market data (prices, order books, klines, funding rates), (2) Manage...

0· 531·0 current·0 all-time
byLance@wjllance
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
VirusTotalVirusTotal
Suspicious
View report →
OpenClawOpenClaw
Suspicious
medium confidence
Purpose & Capability
The skill's name, description, and runtime instructions consistently describe a crypto trading CLI that requires the 'standx' binary and the StandX JWT/private key for trading — these requirements are coherent with the stated purpose. However, registry-level metadata at the top shows no primary credential while the SKILL.md and openclaw metadata declare STANDX_JWT as the primary credential; that's an internal inconsistency in declarations.
Instruction Scope
SKILL.md instructions stay within the expected scope: installing the 'standx' binary, using it to query market data and manage orders, and guidance for authenticating via environment variables, files, or interactive login. The instructions warn about credential hygiene and do not direct data to unexpected external endpoints beyond the documented StandX API/WebSocket endpoints.
!
Install Mechanism
Install options use Homebrew (wjllance tap) and curl of GitHub release tarballs, then sudo mv to /usr/local/bin. Downloading from GitHub releases is common and acceptable if the repository is trustworthy, but the Homebrew formula is from a user tap rather than an official repo and the scripts hardcode a specific v0.3.5 artifact while registry/version metadata references v0.5.0 — this version mismatch and reliance on a personal tap/release should be verified (checksums, repository ownership, release provenance) before running the install scripts with sudo.
!
Credentials
The only sensitive items the skill needs (STANDX_JWT and optionally STANDX_PRIVATE_KEY) are appropriate for a trading CLI. However, registry summary at the top lists no required env/primary credential while the SKILL.md/openclaw metadata declare STANDX_JWT as primary — an inconsistency that could cause misconfiguration or surprise prompts. No other unrelated credentials are requested.
Persistence & Privilege
The skill does not request always:true, does not modify other skills or global agent settings, and is user-invocable only. The install scripts require sudo to place the binary in /usr/local/bin (normal for CLI installs) but the skill itself does not demand elevated runtime privileges or permanent platform-level presence.
What to consider before installing
This skill appears to be what it claims (a CLI for StandX), but check a few things before installing or providing credentials: - Verify the upstream repository and author: review https://github.com/wjllance/standx-cli (or the repo referenced) and confirm releases match the SHA sums in the release notes. Don't run curl|sudo blindly. - Note the version mismatch: many files/scripts reference v0.3.5 while the registry shows 0.5.0. Confirm you are installing the intended version. - Prefer Homebrew only if you trust the 'wjllance' tap. If unsure, clone the repo, inspect sources, and build locally or use a vetted distribution channel. - Treat STANDX_JWT and STANDX_PRIVATE_KEY as sensitive: use ephemeral tokens, keep them in restricted files (chmod 600) or environment variables in a session, and rotate tokens regularly. - Avoid passing credentials on the command line (the SKILL.md warns of this); use file-based or env-var authentication as recommended. - If you must run the installer script, inspect it first and verify the GitHub release tarball contents and digital signature (if provided). Consider installing the binary in a sandbox/container first to test behavior. If you want, I can: (1) help list steps to verify the GitHub release (checksums, tags), (2) show a safe checklist for installing third-party CLI binaries, or (3) fetch the repo metadata to compare versions if you provide the repo URL to inspect.

Like a lobster shell, security has layers — review code before you run it.

latestvk97cqn1qjsn7phr9xzwfr1t83x81yjcx

License

MIT-0
Free to use, modify, and redistribute. No attribution required.
Termshttps://spdx.org/licenses/MIT-0.html

Runtime requirements

📈 Clawdis
Binsstandx

Install

Install StandX CLI via Homebrew
Bins: standx
brew install wjllance/standx-cli/standx-cli

Comments