Skill flagged — suspicious patterns detected
ClawHub Security flagged this skill as suspicious. Review the scan results before using.
SMC Multi-Strategy Paper Trader
v2.1.0Paper trading monitors for SMC (Smart Money Concepts) + Macro Rotation strategies. Includes swing (4H BoS+FVG), day (1H BoS+FVG+CVD), coordinated 8D/2S orche...
⭐ 0· 139·0 current·1 all-time
byZero2Ai@zero2ai-hub
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
OpenClaw
Benign
high confidencePurpose & Capability
Name/description (SMC paper trading, regime scorer, macro rotation) match the included scripts and file list: all data sources are Binance public endpoints, alternative.me, and FRED for macro inputs. The code reads/writes local portfolio/regime/orchestrator JSONs under the user's HOME workspace, which is expected for a paper-trader.
Instruction Scope
SKILL.md instructs running the provided Node scripts on a schedule and explicitly says only public Binance / alternative.me / FRED data are used. The scripts do read and write local files (portfolio, orchestrator lock, regime.json) as documented. Nothing in SKILL.md asks the agent to access unrelated system secrets or files. One caveat: several scripts include helper functions that accept an Authorization token (apiFetch2 / apiFetch2Put) and will send Authorization headers if a token is supplied; SKILL.md does not require any tokens, so in normal use these remain unused.
Install Mechanism
This is instruction-only / script bundle with no install spec. No packages are downloaded or extracted by an installer. Risk from install mechanism is therefore low.
Credentials
The skill declares no required environment variables or credentials and only uses process.env.HOME (to locate workspace files). That is proportionate. Note: the code contains functions that accept GitHub-style tokens and will send authenticated requests if such tokens are provided at runtime — the skill does not declare or require any such env var, so this only becomes relevant if you or another process supplies a token.
Persistence & Privilege
always:false and no special platform privileges requested. The skill writes and reads files under ~/.openclaw/workspace/trading (its own workspace), which is consistent with the described orchestrator and portfolio features. It does not attempt to modify other skills or system-wide agent configuration.
Assessment
This skill appears coherent and implements the paper-trading system it documents. Before installing or running it, consider: 1) Scripts create and modify JSON files under ~/.openclaw/workspace/trading — back up any existing data in that path. 2) macro-rotation.js uses child_process.execSync to curl FRED CSVs (shell execution is limited here but higher-risk than using the https module); if you prefer, review/replace the execSync call with an https fetch. 3) Several helper functions (apiFetch2 / apiFetch2Put) are present that will send Authorization headers if a token is supplied — do not provide GitHub or other service tokens to this skill unless you understand why and trust the destination. 4) Run the scripts in a sandboxed environment or with limited permissions if you plan to let them run autonomous cron jobs. If you want higher assurance, ask the author for justification of the apiFetch2 functions and/or remove/disable any code paths that would accept an externally provided token.scripts/macro-rotation.js:68
Shell command execution detected (child_process).
scripts/regime-scorer.js:158
Shell command execution detected (child_process).
Patterns worth reviewing
These patterns may indicate risky behavior. Check the VirusTotal and OpenClaw results above for context-aware analysis before installing.Like a lobster shell, security has layers — review code before you run it.
latestvk97b6p6zg38tckva7jntzdtdex8385vh
License
MIT-0
Free to use, modify, and redistribute. No attribution required.