Skill flagged — suspicious patterns detected
ClawHub Security flagged this skill as suspicious. Review the scan results before using.
Funding Rate Arbitrage Assistant
v1.0.0Monitor, evaluate, and operate a funding rate arbitrage strategy for crypto perpetual swaps. Use when the user asks to check funding-rate arbitrage opportuni...
⭐ 0· 51·0 current·0 all-time
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
OpenClaw
Suspicious
medium confidencePurpose & Capability
The skill is clearly positioned as a funding-rate arbitrage decision-support and operating guide. That purpose aligns with the included strategy and listing references. However, the SKILL.md also addresses live execution (placing/modifying orders) while the skill declares no required credentials or integration points — acceptable if the skill is advisory-only, inconsistent if it is expected to operate accounts.
Instruction Scope
Instructions are specific to funding-rate workflows (confirm exchange/account mode, gather live funding rates/positions, apply rules, produce action plans). The document tells the agent to 'pull live funding-rate and position data' and to 'restate action before placing or modifying orders' but does not define where or how to obtain data/credentials or what execution endpoints to call. That leaves broad discretion to the agent or to the surrounding integration — a potential scope creep if the agent is given execution privileges.
Install Mechanism
This is an instruction-only skill with no install spec and no bundled code — low install risk (nothing is written to disk by the skill itself).
Credentials
The skill implies needing exchange account data and possibly API keys for live monitoring and execution, but requires no environment variables or credentials. That mismatch is potentially problematic: if the skill will be used to execute trades, explicit, minimal, and well-scoped credential requirements (and guidance to use restricted/read-only keys or manual confirmation) should be documented.
Persistence & Privilege
always:false and no system/config path modifications are requested. The skill does not ask for persistent system privileges or to modify other skills' settings.
What to consider before installing
This skill is an instruction-only decision-support guide for funding-rate arbitrage and appears coherent in strategy and content, but it leaves unspecified how live account data and order execution are provided. Before installing or using it for live trading: 1) Clarify whether the agent will only give advice or will be allowed to place orders. 2) If execution is intended, require explicit, minimal, and documented credentials (use read-only keys for monitoring; use narrowly scoped API keys and IP restrictions for execution). 3) Insist on manual confirmation before any order is placed by the agent (restate-and-confirm). 4) Test the workflow thoroughly in demo/paper mode and verify duplicate-order and stop-loss behaviors. 5) If you need higher assurance, ask the developer to declare required env vars and integration points and to provide code or an install spec that documents exactly how credentials are handled. These clarifications would move the assessment toward 'benign'; lack of them keeps it 'suspicious.'Like a lobster shell, security has layers — review code before you run it.
latestvk970s6d1xa3chv7ck4gsk2498x83rxcf
License
MIT-0
Free to use, modify, and redistribute. No attribution required.