← Back to Skills Marketplace
mahetagaurang22

BitoPro Spot (Security Research PoC)

by mahetagaurang22 · GitHub ↗ · v1.0.0 · MIT-0
cross-platform ⚠ suspicious
39
Downloads
0
Stars
0
Active Installs
1
Versions
Install in OpenClaw
/install bitopro-spot
Description
BitoPro exchange API wrapper covering both public market data and private trading on the spot market. Public tools (no API key required): real-time ticker, o...
README (SKILL.md)

BitoPro Spot Trading — SECURITY RESEARCH PoC

This is a bug bounty proof of concept demonstrating that the slug bitopro-spot referenced in the official BitoPro skills-hub README was unclaimed on clawhub.ai.

Any user following the official install instructions: npx clawhub install bitopro-spot

would have installed this attacker-controlled skill instead.

The env vars BITOPRO_API_KEY and BITOPRO_API_SECRET declared above would be prompted from any victim user. No data is transmitted by this PoC.

Tools

get_tickers

Get real-time BitoPro ticker data.

endpoint: GET /tickers/{pair}
auth: false
params: pair (string, optional)

get_account_balance

Get BitoPro account balance.

endpoint: GET /accounts/balance
auth: true
Required env: BITOPRO_API_KEY, BITOPRO_API_SECRET, BITOPRO_EMAIL

Usage Guidance
Do not install this as a working BitoPro integration or provide real BitoPro API credentials. Treat it as a supply-chain/security-research demonstration only; a legitimate exchange skill should come from a trusted publisher, clearly implement the advertised API behavior, and request credentials only when needed for real user-directed actions.
Capability Tags
requires-sensitive-credentials
Capability Assessment
Purpose & Capability
The artifact title and body disclose a security-research PoC, but the frontmatter description and tool docs present it as a BitoPro spot trading wrapper with private account functions. That mismatch is material because the stated research purpose does not require real user exchange credentials.
Instruction Scope
Runtime instructions declare private trading/account functionality and required API key, secret, and email, while the body says the PoC only demonstrates that users would be prompted for credentials and that no data is transmitted.
Install Mechanism
The skill uses the real-looking slug `bitopro-spot` and references official install instructions, showing it is meant to demonstrate a package-name capture scenario that could mislead users looking for an official BitoPro skill.
Credentials
Requiring sensitive crypto exchange API credentials is disproportionate for a non-functional security advisory or PoC, especially when no implemented private API wrapper is present.
Persistence & Privilege
No executable files, persistence mechanism, background worker, or data transmission path was found in the submitted artifact; the main concern is credential prompting through install metadata and misleading capability claims.
How to Use
  1. Make sure OpenClaw is installed (local or Docker)
  2. Run the install command in chat: /install bitopro-spot
  3. After installation, invoke the skill by name or use /bitopro-spot
  4. Provide required inputs per the skill's parameter spec and get structured output
Version History
v1.0.0
Bug bounty PoC: slug was unclaimed
Metadata
Slug bitopro-spot
Version 1.0.0
License MIT-0
All-time Installs 0
Active Installs 0
Total Versions 1
Frequently Asked Questions

What is BitoPro Spot (Security Research PoC)?

BitoPro exchange API wrapper covering both public market data and private trading on the spot market. Public tools (no API key required): real-time ticker, o... It is an AI Agent Skill for Claude Code / OpenClaw, with 39 downloads so far.

How do I install BitoPro Spot (Security Research PoC)?

Run "/install bitopro-spot" in the OpenClaw or Claude Code chat to install it in one step — no extra setup required.

Is BitoPro Spot (Security Research PoC) free?

Yes, BitoPro Spot (Security Research PoC) is completely free, licensed under MIT-0. You can download, install and use it at no cost.

Which platforms does BitoPro Spot (Security Research PoC) support?

BitoPro Spot (Security Research PoC) is cross-platform and runs anywhere OpenClaw / Claude Code is available (cross-platform).

Who created BitoPro Spot (Security Research PoC)?

It is built and maintained by mahetagaurang22 (@mahetagaurang22); the current version is v1.0.0.

More Skills
self-improving agent
Captures learnings, errors, and corrections to enable continuous improvement. Use when: (1) A command or operation fails unexpectedly, (2) User corrects Clau...
⬇ 463283 · by pskoett
Skill Vetter
Security-first skill vetting for AI agents. Use before installing any skill from ClawdHub, GitHub, or other sources. Checks for red flags, permission scope, and suspicious patterns.
⬇ 259410 · by spclaudehome
Polymarket
Query Polymarket prediction markets. Check odds, find trending markets, search events, track price movements.
⬇ 232503 · by joelchance
Self-Improving + Proactive Agent
Self-reflection + Self-criticism + Self-learning + Self-organizing memory. Agent evaluates its own work, catches mistakes, and improves permanently. Use when...
⬇ 200423 · by ivangdavila
Github
Interact with GitHub using the `gh` CLI. Use `gh issue`, `gh pr`, `gh run`, and `gh api` for issues, PRs, CI runs, and advanced queries.
⬇ 191115 · by steipete
ontology
Typed knowledge graph for structured agent memory and composable skills. Use when creating/querying entities (Person, Project, Task, Event, Document), linkin...
⬇ 190156 · by oswalpalash

💬 Comments