ClawHub
Skill flagged — suspicious patterns detected

ClawHub Security flagged this skill as suspicious. Review the scan results before using.

Xerolite

v0.1.1

Integrate OpenClaw with Xerolite - IBKR. Use when: querying Xerolite API, placing orders, searching contracts.

0· 761·1 current·3 all-time
byxeroflex@xero-flex
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
VirusTotalVirusTotal
Suspicious
View report →
OpenClawOpenClaw
Benign
medium confidence
Purpose & Capability
Name/description (bridge to Xerolite/IBKR for placing orders and searching contracts) align with the provided CLI and REST calls. The skill requires Node (declared) and the CLI issues POSTs to Xerolite endpoints; these are exactly what you'd expect for this purpose.
Instruction Scope
Runtime instructions and the script only construct and POST JSON to the Xerolite endpoints and print responses. The instructions do not read local files, other env vars, or system configuration. Note: the script respects an optional XEROLITE_API_URL environment variable (can direct requests to any host) — this allows targeting a remote service and should be set only to trusted hosts.
Install Mechanism
This is instruction-only with a small included Node CLI file (no install spec, no external downloads). Nothing is written to disk by an installer; risk from install process is low.
Credentials
The skill does not require credentials and does not declare any required env vars. The SKILL.md mentions an optional XEROLITE_API_URL env var (defaults to http://localhost) but that optional env var is not declared in the manifest — a minor metadata inconsistency. No secrets or unrelated credentials are requested by the code.
Persistence & Privilege
The skill is not marked 'always' and uses the default autonomous-invocation capability. That is platform-normal, but because the skill can place orders, you should be aware that an agent invoking this skill autonomously could trigger real trading actions if the API endpoint accepts them. Consider requiring explicit confirmation before order placement or limiting autonomous access.
Assessment
This skill appears to do what it says: it posts order and contract-search JSON to a Xerolite API (defaulting to http://localhost). Before installing: - Confirm where XEROLITE_API_URL will point. If you set it to a remote host, that host will receive order payloads — only configure it to trusted infrastructure. - Understand the risk: the skill can place orders. If your agent is allowed to call skills autonomously, consider requiring manual confirmation or restricting agent permissions to avoid unintended trades. - Note the minor metadata mismatch: SKILL.md documents an optional XEROLITE_API_URL env var but the manifest did not list required/optional env vars. That discrepancy is low-risk but worth noticing. - The current version does not use authentication. Do not expose a Xerolite instance without network protections or API keys; prefer running Xerolite on a local or isolated network if you plan to allow automatic order placement. If you want higher assurance, request the publisher add explicit manifest entries for the optional env var, and add an authentication mechanism (API key) or a configuration option that requires explicit confirmation before placing live orders.

Like a lobster shell, security has layers — review code before you run it.

latestvk976ega3dwr1mj2f99na1wf2bh81r4m6

License

MIT-0
Free to use, modify, and redistribute. No attribution required.
Termshttps://spdx.org/licenses/MIT-0.html

Runtime requirements

Binsnode

Comments