Aster Spot
WarnAudited by ClawScan on May 18, 2026.
Overview
This instruction-only Aster API skill is coherent, but it covers trading, transfers, and withdrawals with exchange API keys while credential declarations and safety confirmations are not clearly bounded.
Use this skill only if you intend an agent to interact with your Aster account. Start with read-only API keys when possible, avoid withdrawal permission unless absolutely necessary, use IP allowlisting, keep balances limited, and require manual confirmation before any trade, transfer, withdrawal, or API-key creation action.
Findings (3)
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
With valid Aster credentials, an agent following this skill could place trades or move funds if the user or agent invokes those endpoints.
These are high-impact financial mutation endpoints. The provided instructions list them for use, but do not show mandatory confirmation, read-only defaults, dry-run handling, or transaction limits before submitting orders, transfers, or withdrawals.
`/api/v1/order` (POST) | Place new order ... `/api/v1/asset/sendToAddress` (POST) | Transfer asset to other address ... `/api/v1/aster/user-withdraw` (POST) | Withdraw funds
Require explicit user confirmation for every order, transfer, or withdrawal; prefer read-only workflows by default; and document safe parameter checks, dry-run behavior, and reversal limitations.
Users may not realize before enabling the skill that it can require exchange credentials capable of trading or moving assets, depending on API-key permissions.
The registry does not declare a credential contract even though the skill documentation says authenticated Aster endpoints require an API key and secret key. That under-declares the permission boundary for high-impact account actions.
Required env vars: none; Env var declarations: none; Primary credential: none
Declare the Aster API key and secret as credentials, state the minimum required permissions, recommend read-only keys for market/account queries, and warn against enabling withdrawal or broad trading permissions unless strictly needed.
It may be harder to verify that the endpoint guidance and claimed Aster affiliation are official or current.
There is no install code, so this is not a package-execution concern, but the provenance is limited for a skill that provides instructions for a financial exchange API.
Source: unknown; Homepage: none
Verify the base URL, endpoints, and signing process against Aster's official documentation before using real credentials or funds.