Aster Futures
Security checks across malware telemetry and agentic risk
Overview
This skill matches its Aster Futures purpose, but it can authorize mainnet futures trading with an API-wallet private key without a clearly declared credential boundary or visible confirmation guardrails.
Use this only if you intend an agent to interact with Aster mainnet futures. Use a dedicated limited API wallet, never a main wallet private key, and manually confirm every order, batch order, or cancel-all request before it is sent.
VirusTotal
VirusTotal findings are pending for this skill version.
Risk analysis
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
If the agent is given valid credentials, mistakes or overbroad prompts could result in real orders or order cancellations on the user's futures account.
The skill exposes authenticated endpoints that can place and cancel futures orders, including bulk and cancel-all actions. These are purpose-aligned but high-impact financial mutations, and the visible instructions do not show clear approval or scope limits for executing them.
| `/fapi/v3/order` (POST) | New order ... | Yes | | `/fapi/v3/batchOrders` (POST) | Place multiple orders ... | Yes | | `/fapi/v3/allOpenOrders` (DELETE) | Cancel all open orders ... | Yes |
Require explicit user confirmation before every trade, batch order, or cancel-all action; show symbol, side, quantity, price, and estimated impact; and prefer read-only behavior unless the user specifically asks to trade.
A private signing key could allow the agent, or anyone who obtains it, to authorize account and trading API requests within that wallet's permissions.
Authenticated requests require wallet identities and an API-wallet private key, which is high-impact delegated account authority. The supplied registry requirements also list no primary credential or environment variable declaration, so the credential boundary is under-declared.
| user | Main wallet address | | signer | API wallet address (AGENT credential from Pro API registration) | ... SIGNER_PRIVATE_KEY = "0xYourApiWalletPrivateKey" ... signed = Account.sign_message(message, private_key=SIGNER_PRIVATE_KEY)
Declare the required credential explicitly, use a dedicated restricted API wallet rather than a main wallet key, enable IP restrictions where available, avoid pasting secrets into prompts, and store credentials only in an approved secret manager.