📦 Etrade Pelosi Bot — 跟单国会交易
v1.0.0自动镜像国会议员股票交易,结合券商下单与风控,实现零延迟复制策略。
4· 1.8k·3 当前·3 累计
by 安全扫描
OpenClaw
可疑
medium confidenceThe package mostly does what it says (an automated trading bot that mirrors congressional trades), but there are inconsistencies and persistence/system-modification behaviors that warrant caution before installing or running it with real credentials or letting it run autonomously.
评估建议
What to consider before installing or running this skill:
- Registry vs SKILL.md mismatch: The registry says no required credentials, but SKILL.md and config files require BROKER_API_KEY, BROKER_API_SECRET and BROKER_ACCOUNT_ID (and optionally TELEGRAM tokens). Treat that as a red flag — confirm exactly what secrets the package will ask for before proceeding.
- Do not run with real brokerage credentials until you audit the code. The bot will store access tokens and may place real orders. Test ...详细分析 ▾
⚠ 用途与能力
The skill's declared purpose (mirror congressional trades and execute them via a broker) aligns with the code and scripts (broker adapters, trade engine, cron setup, Telegram notifier). However the registry metadata claims no required env vars/credentials while SKILL.md and multiple config files clearly expect BROKER_API_KEY, BROKER_API_SECRET and BROKER_ACCOUNT_ID (and optional TELEGRAM_*). That metadata mismatch is an incoherence an installer should notice. The bot also targets specific politicians (Pelosi, others) which is consistent with the stated purpose but may be ethically/questionably narrow — this is not a security finding per se but worth noting.
⚠ 指令范围
Runtime instructions and scripts ask the user/agent to create config files containing API keys or to read secrets from environment variables or config/secrets.json, to run interactive auth flows, and to run setup scripts that install packages and configure cron jobs. The code writes auth state and access tokens to local files (e.g., .auth_state.json, .access_tokens.json, config/config.json), and the setup scripts install services and schedule recurring cron jobs. These actions go beyond read-only data-fetching: they create persistent automation that can place trades and run background processes. The SKILL.md also recommends running scripts that will modify the host (cron), which increases risk if done without review.
ℹ 安装机制
There is no formal install spec in the registry (instruction-only), but the bundle contains many executable scripts (final_setup.sh, setup_*.sh, install_deps.sh, scripts/setup_cron.sh) that perform pip installs and file writes. The package does not download code from obscure servers; it relies on pip for dependencies and bundled scripts. That is moderate risk: no remote arbitrary archive downloads were observed, but the included scripts install packages and lay down persistent cron entries and control scripts on the host.
⚠ 凭证需求
The credentials the project needs (broker API key/secret and account id, optional Telegram token/chat id) are appropriate for automated brokerage access. However the registry metadata lists no required env vars while SKILL.md and config files declare those secrets — an incoherence. Additionally, docs/QuickStart include what look like explicit API key/secret strings in examples; embedding credentials or sample keys in documentation is suspicious and could indicate accidental exposure or encourage insecure copying. The code writes tokens to local files (un-encrypted), which is expected for this type of tool but increases the need for careful handling of these secrets.
⚠ 持久化与权限
Although 'always' is false, the skill (via its scripts and SKILL.md instructions) sets up cron jobs, creates background runner scripts (nohup), and writes configuration and token files. That creates persistent automation on the host that will continue running independently of the AI agent. This is within the functional scope of an automated trading system but represents significant persistence and privilege (ability to place financial orders) and must be treated with elevated caution.
安全有层次,运行前请审查代码。
运行时依赖
无特殊依赖
版本
latestv1.0.02026/2/1
Initial release of ClawBack – Congressional trade mirroring bot - Tracks and mirrors congressional stock trades with automated real-time brokerage execution. - Integrates with E*TRADE for trade placement (adapter pattern, more brokers planned). - Smart position sizing and risk management (stop-losses, trailing stops, drawdown limits). - Sends Telegram notifications for new trades and risk events. - Includes full backtesting engine and historical strategy performance. - Easy configuration via environment variables or JSON files; cron job support for automation.
● 可疑
安装命令
点击复制官方npx clawhub@latest install etrade-pelosi-bot
镜像加速npx clawhub@latest install etrade-pelosi-bot --registry https://cn.longxiaskill.com