Crypto Trading
WarnAudited by ClawScan on May 18, 2026.
Overview
This skill is a Review risk because it instructs an agent to repeatedly make and place crypto trades using account access, while the needed credentials, code, and safety controls are not clearly declared.
Do not connect this skill to a live exchange account unless you have reviewed the missing trading code, verified the exact credentials and API scopes, enabled trade-only keys with withdrawals disabled, set strict loss and position limits, and confirmed how to stop the 10-minute automation and clear stored trading logs.
Findings (4)
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
If run against a real exchange account, the agent could buy or sell crypto automatically and potentially cause financial loss.
The skill directs an autonomous loop that can place market orders, a high-impact financial action, without clearly requiring per-trade user confirmation or defining operational limits.
每 10 分钟自动执行交易决策循环 ... 生成最终决策:BUY/SELL/HOLD ... 执行市价单
Require explicit user opt-in, paper-trading by default, per-trade confirmation or clearly bounded automation, maximum loss limits, and a documented emergency stop.
Users may not understand what exchange credentials or trading permissions the skill needs, or how broadly those credentials could be used.
Reading account balances/positions and executing trades requires privileged exchange account access, but the registry metadata declares no primary credential, required environment variable, or config path.
获取账户持仓和余额 ... 执行市价单
Declare the exact credential requirements, supported exchange, required scopes, and safe key settings; use trade-only API keys with withdrawals disabled and least-privilege limits.
The real code that collects data, calculates orders, and executes trades could differ from the description or have unsafe behavior.
The skill relies on helper scripts and a local project directory that are not included in the artifact set; with no install spec or code files present, the actual trading implementation cannot be reviewed.
`core/data_collector.py` ... `core/enhanced_trade_executor.py` ... `/Users/zst/Documents/ML/CryptoTrading/`
Package the referenced files, remove user-specific absolute paths, pin dependencies, and make the trading executor auditable before live use.
Trading activity, strategy decisions, and possibly account-related state may persist locally and influence future agent behavior.
The skill records trading decisions, state, and AI analysis comparisons in persistent memory/database locations, which is expected for a trading log but should be visible to users.
保存决策到 memory/trading/YYYY-MM-DD.md ... 更新 memory/crypto_trading_state.json ... 双分析对比落库
Document what is stored, where it is stored, how long it is kept, and how users can review or delete the trading memory/state.