Quant Trader
v1.0.0Professional quantitative trading system for cryptocurrency - backtesting, paper trading, live trading, and strategy optimization
⭐ 0· 299·3 current·3 all-time
byJustin Liu@zhenstaff
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
OpenClaw
Suspicious
medium confidencePurpose & Capability
The name/description (quant trading, backtest, live trading) align with the documented instructions and examples (backtest, paper, live using ccxt/Binance). However the skill metadata declares no required environment variables or credentials while the SKILL.md explicitly shows use of BINANCE_API_KEY/BINANCE_API_SECRET and a telegram bot token in example config—this mismatch is unexpected.
Instruction Scope
SKILL.md instructs users/agents to git clone https://github.com/ZhenRobotics/openclaw-quant, pip install requirements, and run backtests or real trading. Those steps are within expected scope for a trading skill, but they give the agent/installer permission to download and execute third-party code and to read environment variables for exchange keys—actions that have real risk for funds and secrets if not handled carefully.
Install Mechanism
There is no registry install spec; instead the instructions tell users to clone a GitHub repo and run pip install -r requirements.txt. Pulling and executing code from an external GitHub repo is common but higher risk than an instruction-only local operation because it writes code to disk and installs third-party packages that could contain malicious behavior. The repository's origin and maintainer are not verified in the registry metadata (source/homepage unknown).
Credentials
The skill metadata lists no required env vars, yet SKILL.md shows use of BINANCE_API_KEY and BINANCE_API_SECRET for live trading and a telegram bot_token/chat_id for notifications. That omission is a red flag: the skill will attempt to use sensitive credentials but the registry did not declare them. Users should treat any exchange API keys (and notification tokens) as highly sensitive and verify why/where they are used before providing them.
Persistence & Privilege
The skill is not set to always: true and does not request system-wide config paths or other skills' credentials. It appears to be an on-demand skill that can be invoked by the agent—this is standard and not an extra persistent privilege.
What to consider before installing
This skill appears to be a legitimate trading framework, but there are mismatches and risks you should address before installing or giving it credentials:
- Verify the repository and publisher: visit https://github.com/ZhenRobotics/openclaw-quant, check the maintainer, commit history, issues, and community. The registry metadata lacks a homepage/source, which lowers confidence.
- Inspect code before running: review requirements.txt and the live/trading/broker code (live.py, broker.py) for any hardcoded endpoints, telemetry, or exfiltration logic.
- Use testnet and minimal permissions: when trying live features, use exchange testnet keys or API keys limited to trading and ideally without withdrawal permissions. Start with very small amounts.
- Don’t expose real secrets to the agent automatically: the SKILL.md examples use BINANCE_API_KEY/BINANCE_API_SECRET and telegram tokens—treat these as sensitive. Consider using ephemeral/test credentials or a secrets manager and avoid pasting keys into chat.
- Run in an isolated environment: use a VM or container and a Python virtualenv to contain any installed packages.
- Audit dependencies: ensure requirements.txt does not include suspicious or unmaintained packages, and pin versions.
If you want higher confidence, provide the actual GitHub repo link and checksums or ask the skill publisher for provenance and a signed release; with that we could re-evaluate and raise confidence.Like a lobster shell, security has layers — review code before you run it.
latestvk9704f95qg88r0m79ahfw02dnn82b1mg
License
MIT-0
Free to use, modify, and redistribute. No attribution required.