Yubit Exchange Skill
SuspiciousAudited by ClawScan on May 11, 2026.
Overview
This appears to be a legitimate Yubit exchange skill, but it can control crypto funds and trades with unclear credential and approval boundaries.
Only install this if you trust the Yubit npm package and understand which exchange account credentials it will use. Prefer limited API keys, disable withdrawal permissions unless absolutely needed, and require manual confirmation before any transfer, trade, leverage, or stop-loss/take-profit change.
Findings (4)
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
A mistaken or overbroad agent action could move funds, open or close leveraged positions, or change trading risk settings.
These are high-impact financial mutation capabilities, and the provided artifact text does not show explicit confirmation or safety checks before using them.
transfer funds, inspect positions/orders/history/wallet flow records, place or cancel perp orders, manage leverage or mode, set take-profit / stop-loss
Require explicit user confirmation before transfers, order placement/cancellation, leverage or mode changes, and TP/SL updates; show symbol, side, amount, price, destination, fees, and expected impact before execution.
Users may not know which account credentials the skill will use or whether those credentials allow withdrawals or trading.
The artifacts indicate sensitive wallet/exchange credentials are needed, but do not declare how credentials are supplied, scoped, or limited.
Primary credential: none; Required env vars: none; Required config paths: none; Capability signals: requires-wallet, requires-sensitive-credentials
Document the credential mechanism and required API scopes; prefer read-only credentials for market/balance tasks and require separate, user-approved trading or transfer permissions.
The installed binary will be trusted to handle exchange requests and credentials, so package provenance matters.
The skill relies on an external npm-installed binary for exchange operations; this is purpose-aligned, but the supplied review artifacts do not include the package code.
node | package: @yubit/exchange-skill | creates binaries: yubit
Install only from the verified Yubit source, pin the package version or digest where possible, and review vendor documentation before granting account permissions.
Sensitive account and trading information may be exposed to the configured MCP/CLI integration.
Account balances, positions, orders, and wallet-flow data are routed through Yubit MCP tools, which is expected for the integration but involves sensitive financial data.
Use the yubit MCP tools for all account and portfolio queries.
Use only trusted Yubit MCP endpoints and avoid sharing account data outside the exchange workflow.