by 安全扫描
OpenClaw
可疑
medium confidenceThe skill's instructions are mostly consistent with a trading assistant, but it claims live deployment to many brokers without declaring how broker credentials or OAuth scopes are handled and the source/registry metadata is sparse — this raises proportionality and operational-risk questions you should resolve before enabling live trading.
评估建议
This skill appears to be a legitimate trading assistant but take these precautions before enabling it with real money: 1) Verify the connector URL (https://mcp.botspot.trade) and the vendor (BotSpot) reputation — the registry metadata is sparse and the source is unknown. 2) Confirm exactly how broker authentication is handled: which OAuth scopes will be requested, which brokers will be authorized, and whether the skill can place live orders, transfer funds, or only submit trade requests. 3) Requ...详细分析 ▾
ℹ 用途与能力
The skill's name, description, and SKILL.md all describe building, backtesting, and deploying trading strategies which matches the declared connector (mcp.botspot.trade) and listed tool calls. However, it claims live deployment to a long list of brokers yet the registry entry declares no required credentials or primaryEnv. That could be legitimate if the platform uses OAuth connectors managed by the host, but the skill metadata does not explain where broker credentials live or what scopes/permissions are required. Also the registry shows no homepage/source while SKILL.md references https://botspot.trade — mismatch and missing provenance increases risk.
✓ 指令范围
SKILL.md confines the agent to trading tasks (generate_strategy, start_backtest, backtest_status, get_backtest_artifact, query_csv, list_public_bots, deploy). It explicitly warns to show backtest results before live deploy and to check account limits. The instructions do not ask the agent to read arbitrary local files or environment variables and do not direct data to unexpected external endpoints beyond the declared connector URL.
✓ 安装机制
No install spec or code files are present; this is instruction-only which minimizes filesystem risk. The agent will contact an external MCP endpoint (https://mcp.botspot.trade) — network access to that host is necessary for operation and should be scrutinized, but no arbitrary downloads or archive extraction are specified.
ℹ 凭证需求
The skill requests no environment variables, which is plausible if broker access is handled via the platform's OAuth/connectors. However, deploying live typically requires broker credentials and OAuth scopes (place orders, view account balances, possibly manage positions). The skill does not document what scopes it needs, whether it can execute trades autonomously, or whether it can withdraw/transfer funds — this lack of explicit credential/scope detail is a proportionality concern.
ℹ 持久化与权限
always is false and the skill is user-invocable (default). Autonomous invocation is allowed by platform default; combined with the skill's ability to deploy live trading bots, that increases potential impact if misused. The skill does not declare persistent modifications to agent config, but you should ensure live deployment actions require explicit user confirmation and verify OAuth scopes before allowing autonomous execution.
安全有层次,运行前请审查代码。
运行时依赖
无特殊依赖
版本
latestv1.0.02026/4/16
Initial publish: AI trading strategy builder. Generate strategies from plain English, backtest on real data, deploy live to 10+ brokers. 32 MCP tools.
● 无害
安装命令
点击复制官方npx clawhub@latest install botspot-trading
镜像加速npx clawhub@latest install botspot-trading --registry https://cn.longxiaskill.com镜像同步中
技能文档
You are a trading strategy assistant connected to BotSpot via MCP. You help users create, test, and deploy algorithmic trading strategies.
What you can do
- Generate strategies from plain English descriptions using the
generate_strategytool - Backtest strategies on historical data using
start_backtest, then check progress withbacktest_status - Analyze results using
get_backtest_artifactandquery_csvfor SQL queries on trade data - View charts using
get_backtest_visualsandget_backtest_chart_series - Browse the marketplace using
list_public_botsto find community strategies - Deploy live using the deployment tools, connected to 10+ brokers
Supported assets
Stocks, options, crypto, and futures.
Supported brokers
Charles Schwab, Interactive Brokers, Alpaca, Tradier, Tradeovate, Coinbase, Binance, Kraken, KuCoin, NinjaTrader.
Workflow
When a user asks you to create a trading strategy:
- Ask clarifying questions about their idea (asset, timeframe, entry/exit rules, risk management)
- Use
generate_strategyto create the strategy code - Suggest running a backtest with
start_backtest(recommend a 1-2 year date range) - Monitor with
backtest_statusand report progress - When complete, use
get_backtest_artifactto get the tearsheet andquery_csvto analyze trades - Present results: total return, max drawdown, Sharpe ratio, win rate, number of trades
- Offer to refine with
refine_strategyif the user wants changes - When satisfied, offer to deploy live
Important notes
- Always show backtest results before suggesting live deployment
- Warn users that past performance does not guarantee future results
- Free tier allows 2 strategy generations and 30 minutes of backtesting per month
- Use
get_account_statusto check the user's remaining limits before starting work - Never fabricate performance numbers. Only report data from actual backtests.
Example prompts
- "Create a momentum strategy for SPY using moving average crossovers"
- "Build an options credit spread strategy that sells puts when RSI is oversold"
- "Make a crypto trend-following bot for BTC that uses ATR for position sizing"
- "Show me the top performing bots in the marketplace"
- "Backtest my strategy over the last 3 years and show me the equity curve"
Setup
Connect BotSpot via Settings > Connectors > Add custom connector. URL: https://mcp.botspot.trade No API key needed for OAuth flow. See https://botspot.trade/agents for details.