SMC Multi-Strategy Paper Trader
ReviewAudited by ClawScan on May 10, 2026.
Overview
The skill mostly matches a public-data paper-trading monitor, but it contains undisclosed GitHub token-based write helpers that do not fit the “no credentials needed” claim.
Review the scripts before installing, especially the GitHub token/PUT helper functions. Do not provide any GitHub token unless the author clearly documents why it is needed and what it can write. If you use the skill, run it in a limited workspace, expect public market-data network calls, and monitor or disable any cron schedules you enable.
Findings (4)
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
If invoked, this code could use a GitHub token to make write requests, which is broader account authority than a paper-trading monitor appears to need.
The skill claims public APIs and no credentials, but a monitor script contains a GitHub token-authenticated PUT helper. The provided excerpt does not show a caller, so this is an under-disclosed capability/ambiguity rather than proof of misuse.
opts.method = 'PUT'; opts.headers = { Authorization: `token ${token}`, Accept: 'application/vnd.github.v3+json', ... }Remove the GitHub helpers if unused. If they are required, document exactly what repository/API they access, declare the credential, restrict token scope, and require explicit user opt-in before any write.
The skill may run local shell commands and depends on curl being available, even though no required binaries are declared.
The script uses local shell execution to run curl for FRED data. This is aligned with macro-regime scoring, and the shown series IDs are internal constants, but shell execution is riskier than using the existing HTTPS client.
const csv = execSync(`curl -sL --max-time 12 "https://fred.stlouisfed.org/graph/fredgraph.csv?id=${seriesId}&cosd=${startDate}"`, ...)Prefer Node HTTPS requests over execSync/curl, validate any interpolated values, and declare any required runtime binaries.
Local JSON state can affect later simulated trades and reported P&L.
The skill intentionally persists local coordination and portfolio state that later runs rely on. This is purpose-aligned, but stale or edited files can influence future paper-trading decisions.
All SMC monitors share `orchestrator-lock.json` — prevents same-symbol entries across strategies
Keep the trading workspace private, validate/reset state files when needed, and provide clear cleanup or reset instructions.
If the user enables the schedules, the scripts will keep making network calls and updating local paper-trading files until disabled.
The cron setup documents repeated scheduled execution. It is disclosed and user-directed, not automatically installed in the provided artifacts.
Macro Rotation: 15 0 * * * (00:15 UTC daily)
Only enable cron schedules intentionally, monitor their output, and document how to disable or remove them.