Back to skill
Skillv1.0.0
ClawScan security
Crypto Trading · ClawHub's context-aware review of the artifact, metadata, and declared behavior.
Scanner verdict
SuspiciousMar 3, 2026, 11:55 PM
- Verdict
- suspicious
- Confidence
- high
- Model
- gpt-5-mini
- Summary
- The skill claims to autonomously trade crypto using two AIs and local code, but its instructions reference local files, exchange actions, and external AI services while declaring no credentials, no code, and no install — these gaps are incoherent and risky.
- Guidance
- Do not install or grant credentials yet. This skill is incomplete and inconsistent: it references local Python files and user directories that are not provided, and it describes executing live market orders while declaring no exchange/API credentials or endpoints. Before proceeding, ask the author to: (1) provide the missing code or a clear install procedure, (2) list exactly which exchange(s) are supported and how API keys should be supplied and scoped, (3) show how Dify/OpenClaw are called (endpoints, required keys), (4) remove or explain hard-coded local file paths and confirm where logs and state will be stored, (5) provide a way to run in read-only/simulated mode for testing, and (6) supply a security review or provenance for the code. If you must test, do so only in a tightly sandboxed environment with no real exchange credentials (use paper/simulated accounts) and only after reviewing the actual code that will be executed.
Review Dimensions
- Purpose & Capability
- concernThe description promises automated trading and market order execution, but the skill declares no exchange integration, no API keys, and no code files. A legitimate trading skill would normally require exchange API credentials and concrete connector code. The SKILL.md lists many project .py files yet none are provided in the package.
- Instruction Scope
- concernRuntime instructions tell the agent to fetch market data, call Dify AI and OpenClaw, compute orders (order_amount.py), execute market orders, and write logs to specific user paths (/Users/...). These instructions reference local project files and user home paths that are not part of the skill and do not declare the external endpoints, credentials, or scheduling mechanism. The guidance is both vague (no API endpoints or auth) and expansive (filesystem writes, executing trades).
- Install Mechanism
- noteThere is no install spec (instruction-only), which is low risk in isolation. However, because SKILL.md expects local project files and executables, the lack of an install or bundled code makes the skill incomplete and increases the chance that an agent will attempt unsafe actions (searching for files, invoking local scripts) to satisfy the instructions.
- Credentials
- concernThe skill declares no required environment variables or primary credential, yet its operation would reasonably require sensitive secrets (exchange API keys/secret, API keys for Dify/OpenClaw/qwen). The absence of declared credentials is a mismatch — either the skill omitted required sensitive inputs, or it expects to read unspecified local credentials/configs (the SKILL.md references user config paths). Both are disproportionate and unexplained.
- Persistence & Privilege
- notealways:false (not force-included) and autonomous invocation enabled (default). Autonomous invocation plus the ability to execute trades would increase blast radius if the skill were given credentials, but autonomous invocation alone is normal. Still, combining autonomous operation with the trading actions described would be high-risk — confirm explicit user consent and credential scoping before use.