Trading Bot Risk-as-a-Service

Name: greenhelix-trading-bot-risk-service
Author: mirni

View on ClawHub↗

Share on X Share on LinkedIn Share on Bluesky

100Critical

The skill deceptively claims not to execute

ThreatsCI SM CS BC S HITL

Behavior Analysis

Mismatch detected — The skill explicitly states it 'does not execute code or install dependencies,' but it provides extensive Python code and curl commands that, if followed, would execute code, require external dependencies (e.g., `requests`, `cryptography`), and interact with external APIs, including a live trading exchange (Binance Futures API).

Claims to do

Trading Bot Risk-as-a-Service: Real-Time Portfolio Risk Monitoring for Multi-Exchange Operations: > **Notice**: This is an educational guide with illustrative code examples. > It does not execute code or install dependencies. > All examples use the GreenHelix sandbox (https://sandbox.greenhelix.net) which > provides 500 free credits — no API key required to get started. > > **Referenced credentials** (you supply these in your own environment): > - `AGENT_SIGNING_KEY`: Cryptographic signing key for agent identity (Ed25519 key pair for request signing)

Actually does

This skill provides a guide with Python code and curl commands. It demonstrates how to build a risk monitoring system that uses `requests` and `cryptography` to interact with the GreenHelix API (`https://sandbox.greenhelix.net/v1` or `https://api.greenhelix.net/v1`) for agent registration, event publishing, event retrieval, SLA compliance checks, and message sending. It also includes an `ExchangeAdapter` example for Binance (`https://fapi.binance.com`) to fetch trading positions and account equity, and to cancel orders, requiring `API_KEY`, `AGENT_SIGNING_KEY`, and Binance `secret_key` credentials.

Threat Analysis

AI Agent Traps ↗Scanned 4/17/2026

Content InjectionPerceptionclean

Semantic ManipulationReasoning1 finding

Cognitive StateMemory & Learningclean

Behavioural ControlAction2 findings

SystemicMulti-Agent Dynamicsclean

Human-in-the-LoopHuman Overseerclean

Skill Info

Namemirni/greenhelix-trading-bot-risk-service

Registryclawhub

Version1.3.0

PURLpkg:clawhub/mirni/greenhelix-trading-bot-risk-service@1.3.0

Downloads104

Source

Repository ↗

SHA-25610f8eab027f4...

SHA-1c0d8bf4ede43...

MD52498ca79d13e...

TLSHf4831b56cd20...

ssdeep768:ep6o6sYT...

Size80,999 bytes

Install

This skill has been flagged as potentially malicious. Review the findings below before installing.

OpenClawDocs

https://clawhub.ai/mirni/greenhelix-trading-bot-risk-service

104 downloads

ClawHubDocs

openclaw skills install mirni/greenhelix-trading-bot-risk-service

Assessments (2)

AI Agent Traps ↗

Access to sensitive environment variables detectedcriticalcredential theft

Access to sensitive environment variables detected

100% confidenceline 163

$API_KEY

Reliance on Secure Credential Management by Userinfohardcoded secrets

The skill explicitly requires `AGENT_SIGNING_KEY` and uses placeholders for exchange API keys/secrets. The security of the implemented system heavily relies on the user's secure handling and storage of these credentials, which is outside the skill's direct control.

100% confidenceline 447

credentials: [AGENT_SIGNING_KEY], API_KEY = "your-api-key", private_key_b64="your-private-key-base64"

Description Mismatchhighdescription mismatch

The skill explicitly states it 'does not execute code or install dependencies,' but it provides extensive Python code and curl commands that, if followed, would execute code, require external dependencies (e.g., `requests`, `cryptography`), and interact with external APIs, including a live trading exchange (Binance Futures API).

85% confidence

Stated: 'It does not execute code or install dependencies.' Actual: Python code blocks include `import requests`, `from cryptography.hazmat.primitives.asymmetric.ed25519 import Ed25519PrivateKey`, and `curl` commands targeting `https://fapi.binance.com`.

Badge

Markdown

[![Mondoo Skill Check](https://mondoo.com/ai-agent-security/api/badge/clawhub/mirni/greenhelix-trading-bot-risk-service.svg)](https://mondoo.com/ai-agent-security/skills/clawhub/mirni/greenhelix-trading-bot-risk-service)

HTML

<a href="https://mondoo.com/ai-agent-security/skills/clawhub/mirni/greenhelix-trading-bot-risk-service"><img src="https://mondoo.com/ai-agent-security/api/badge/clawhub/mirni/greenhelix-trading-bot-risk-service.svg" alt="Mondoo Skill Check" /></a>

Image URL

https://mondoo.com/ai-agent-security/api/badge/clawhub/mirni/greenhelix-trading-bot-risk-service.svg

Secure your AI agents

Skills can read files, run commands, and access credentials. Mondoo helps organizations manage the security risks of AI agent skills across their entire fleet.

Continuous scanning of skills across all registries
Policy enforcement before skills reach your agents
Integration with your existing security workflow