Yubit Exchange Skill
AdvisoryAudited by Static analysis on May 11, 2026.
Overview
No suspicious patterns detected.
Findings (0)
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
A mistaken or overbroad agent action could move funds, open or close leveraged positions, or change trading risk settings.
These are high-impact financial mutation capabilities, and the provided artifact text does not show explicit confirmation or safety checks before using them.
transfer funds, inspect positions/orders/history/wallet flow records, place or cancel perp orders, manage leverage or mode, set take-profit / stop-loss
Require explicit user confirmation before transfers, order placement/cancellation, leverage or mode changes, and TP/SL updates; show symbol, side, amount, price, destination, fees, and expected impact before execution.
Users may not know which account credentials the skill will use or whether those credentials allow withdrawals or trading.
The artifacts indicate sensitive wallet/exchange credentials are needed, but do not declare how credentials are supplied, scoped, or limited.
Primary credential: none; Required env vars: none; Required config paths: none; Capability signals: requires-wallet, requires-sensitive-credentials
Document the credential mechanism and required API scopes; prefer read-only credentials for market/balance tasks and require separate, user-approved trading or transfer permissions.
The installed binary will be trusted to handle exchange requests and credentials, so package provenance matters.
The skill relies on an external npm-installed binary for exchange operations; this is purpose-aligned, but the supplied review artifacts do not include the package code.
node | package: @yubit/exchange-skill | creates binaries: yubit
Install only from the verified Yubit source, pin the package version or digest where possible, and review vendor documentation before granting account permissions.
Sensitive account and trading information may be exposed to the configured MCP/CLI integration.
Account balances, positions, orders, and wallet-flow data are routed through Yubit MCP tools, which is expected for the integration but involves sensitive financial data.
Use the yubit MCP tools for all account and portfolio queries.
Use only trusted Yubit MCP endpoints and avoid sharing account data outside the exchange workflow.