💹 Trade Executor — 技能工具
v0.1.0[自动翻译] Execute cryptocurrency trades on exchanges (Binance, OKX) with risk controls, user confirmation, and audit logging.
0· 344·3 当前·3 累计
by 安全扫描
OpenClaw
可疑
medium confidenceThe skill's stated purpose (execute trades on Binance and OKX) is plausible, but the runtime instructions and declared environment requirements are inconsistent and incomplete — notably OKX credentials are used in the docs but not declared — which could lead to unexpected behavior or hidden credential access.
评估建议
Do not install or grant API keys until the owner clarifies the credential requirements and behavior. Specific actions to consider before proceeding:
- Ask the publisher to update metadata to list OKX env vars (OKX_API_KEY, OKX_API_SECRET, OKX_PASSPHRASE) if OKX support is intended, or remove OKX docs if not.
- Only provide exchange API keys with minimal permissions (enable trading, disable withdrawals), and ideally restrict by IP or use testnet keys first.
- Confirm who/what provides the gateway...详细分析 ▾
⚠ 用途与能力
The skill advertises support for Binance and OKX. The metadata/requirements only declare BINANCE_API_KEY and BINANCE_API_SECRET as required env vars (primaryEnv = BINANCE_API_KEY). However impl/okx.md describes OKX-specific credentials (OKX_API_KEY, OKX_API_SECRET, OKX_PASSPHRASE). This mismatch means the skill's declared needs do not fully match its claimed capabilities.
⚠ 指令范围
SKILL.md and impl files instruct calling official exchange APIs (api.binance.com, api.okx.com), performing HMAC signing, and requiring user confirmation and risk checks — these are appropriate. However the instructions reference openclaw.json allowedPairs and a gateway that tracks daily counts/losses across sessions without declaring access to those config or state paths. Also impl/okx.md references environment variables not listed in the skill metadata, which indicates the runtime agent may access env vars beyond those declared.
✓ 安装机制
This is an instruction-only skill with no install spec and no code files to write to disk, which minimizes install-time risk.
⚠ 凭证需求
Requiring Binance API key/secret is proportionate for Binance trading. But because the skill also documents OKX integration that requires additional secrets, the environment requirements are incomplete/ambiguous. The skill may expect or attempt to read OKX credentials at runtime even though they aren't declared. The skill requests API keys (sensitive) and therefore the exact set of credentials should be clearly documented and limited to trade-only keys; that clarity is absent.
✓ 持久化与权限
always:false and no install behavior modifying other skills or system-wide config. The skill states it will not write files and relies on a gateway for audit logging, which is consistent with being instruction-only.
安全有层次,运行前请审查代码。
运行时依赖
无特殊依赖
版本
latestv0.1.02026/3/9
trade-executor v0.1.0 - Initial release of trade-executor for executing cryptocurrency trades on Binance and OKX. - Implements complete risk controls, including whitelist pairs, per-trade and daily limits, stop-loss enforcement, and session-aware checks. - Requires explicit user confirmation for every order before execution. - Supports both user-initiated and pre-authorized market-monitor signals (with confidence ≥ 0.85). - Orders are only executed when all safety checks pass; detailed rejection reasons provided otherwise. - All trades are logged for audit with structured records; no persistent writes by Vega itself.
● 无害
安装命令 点击复制
官方npx clawhub@latest install trade-executor
镜像加速npx clawhub@latest install trade-executor --registry https://cn.clawhub-mirror.com
技能文档
接口层:定义前置条件、风控流程、用户确认格式、审计记录结构,与具体交易所无关。>
各交易所的下单 API 和签名方式见impl/目录:
->impl/binance.md— Binance 实现
-impl/okx.md— OKX 实现
新增交易所时,只需添加对应 impl/{exchange}.md,本文件无需修改。概述
执行加密货币交易,包含完整的风控检查和用户确认流程。
触发条件
- 用户明确要求下单
- market-monitor 产生信号且用户已预授权(
confidence ≥ 0.85)
前置条件(全部满足才执行)
- 用户已明确确认交易意图
- 风控检查全部通过(见下方清单)
- 交易对在白名单中(见 openclaw.json
allowedPairs) - 目标交易所的 API Key 已配置且有效
风控检查清单
[RISK CHECK] 执行前逐项验证:
├── [ ] 交易对在白名单? (BTC/USDT, ETH/USDT, SOL/USDT)
├── [ ] 单笔金额 ≤ 1,000 USDT?
├── [ ] 今日交易笔数 < 20? ← 由网关跨 session 追踪
├── [ ] 今日累计亏损 < 500 USDT? ← 由网关跨 session 追踪
├── [ ] 操作类型安全? (非提币/转账/改权限)
├── [ ] 用户已确认?
└── [ ] 止损已设置?
任何一项未通过 → 拒绝执行,向用户说明具体原因。
执行流程
1. 参数验证
必需: exchange, pair, side (buy/sell), type (limit/market), quantity
可选: price(limit 单必须), stopLoss, takeProfit
2. 用户确认展示
交易确认:
交易所: {exchange}
交易对: {pair}
方向: 买入 / 卖出
类型: 限价单 / 市价单
价格: ${price}
数量: {quantity} {base}
金额: ${amount}
止损: ${stopLoss} (-{pct}%)
止盈: ${takeProfit} (+{pct}%)请回复 "确认" 执行,或 "取消" 放弃
3. 下单
根据 exchange 参数加载对应 impl/{exchange}.md,调用其下单 API。
4. 结果处理
- 成功:返回订单 ID 和成交详情
- 部分成交:通知用户,继续监控剩余数量
- 失败:返回错误说明,建议处理方式
审计记录格式
每笔交易由网关自动记录(Vega 无需写入):
{
"tradeId": "uuid",
"timestamp": "ISO8601",
"exchange": "binance | okx",
"pair": "BTC/USDT",
"side": "buy | sell",
"type": "limit | market",
"price": 0.0,
"quantity": 0.0,
"amountUSD": 0.0,
"stopLoss": 0.0,
"takeProfit": 0.0,
"orderId": "exchange_order_id",
"status": "filled | partial | rejected | cancelled",
"riskChecks": { "allPassed": true, "details": [] },
"userConfirmed": true
}
安全约束
- 用户确认是强制流程,不可跳过,不可由代码自动确认
- exec = deny,write = deny(Vega 自身不写任何文件)
- 所有交易记录由网关写入审计日志
- 风控违规自动拒绝并告警
数据来源:ClawHub ↗ · 中文优化:龙虾技能库
OpenClaw 技能定制 / 插件定制 / 私有工作流定制
免费技能或插件可能存在安全风险,如需更匹配、更安全的方案,建议联系付费定制