← Back to Skills Marketplace
TA Radar
by
deanpeng-dotcom
· GitHub ↗
· v1.2.0
· MIT-0
72
Downloads
0
Stars
0
Active Installs
1
Versions
Install in OpenClaw
/install ta-radar
Description
Multi-Dimensional Technical Analysis Radar for cryptocurrencies. Supports spot trading pairs (Binance/Gate.io) and on-chain contract addresses (via DexScreen...
Usage Guidance
This skill largely looks like what it says (a crypto TA tool), but there are three reasons to be cautious: (1) SKILL.md asks the agent to write and run a long embedded Python script — running code embedded in a skill is more powerful and riskier than just calling an API; (2) the metadata claims 'pip install -r requirements.txt' while the package claims zero-dependency and no requirements.txt is present — ask the maintainer to clarify or show the repository and requirements.txt before installing; (3) I could not inspect the entire embedded script (it was truncated here), so review the full script to ensure it doesn't call unexpected endpoints, exfiltrate data, or read local files. Recommended precautions: run the skill only in an isolated/sandboxed environment (or review the full embedded script first), verify the repository/source code on GitHub, and confirm there are no hidden endpoints or calls beyond the listed public APIs (Binance, Gate.io, DexScreener via allorigins.win). If you rely on it for real funds, consider running the script locally yourself after manual code review rather than allowing autonomous agent execution.
Capability Analysis
Type: OpenClaw Skill
Name: ta-radar
Version: 1.2.0
The skill is classified as suspicious due to a shell injection vulnerability in the execution instructions within SKILL.md. The agent is instructed to execute a bash command where user-controlled parameters (TA_SYMBOL and TA_INTERVAL) are embedded directly into environment variable assignments (e.g., TA_SYMBOL="<SYMBOL>") without sanitization, which allows for arbitrary command execution on the host. While the embedded Python script itself appears to be a legitimate technical analysis tool fetching data from Binance and Gate.io, the insecure instruction template in SKILL.md poses a significant security risk.
Capability Tags
Capability Assessment
Purpose & Capability
The name/description (TA Radar for crypto) align with the described data sources (Binance, Gate.io, DexScreener) and the indicators computed. However SKILL.md metadata lists an install command 'pip install -r requirements.txt' while README and the embedded script claim 'zero-dependency' pure-Python operation and no requirements.txt is present in the manifest — this inconsistency is unexplained.
Instruction Scope
The agent is instructed to write a full Python script to /tmp and execute it, then delete it. Running code supplied inside the SKILL.md is expected for instruction-only skills but is higher-risk than simple API calls because the embedded script can perform arbitrary I/O and network requests. From the visible parts the script fetches only the listed public endpoints (api.binance.info, api.gateio.ws, allorigins.win→DexScreener). I could not inspect the entire embedded script (it was truncated in the provided SKILL.md), so unknown behavior may exist. The instruction to return the script's full stdout unchanged may expose unexpected local details if the script prints them.
Install Mechanism
There is no separate install spec and no archived downloads; runtime network calls happen only during script execution. The presence of an install command in the SKILL.md metadata (pip install -r requirements.txt) conflicts with the 'zero-dependency' claim and with the manifest (no requirements.txt). No high-risk installer URLs or extracted archives are present.
Credentials
Declared environment variables are minimal and appropriate: TA_SYMBOL (required) and TA_INTERVAL (optional). The skill does not request secrets or credentials and the visible script only reads those vars. No evidence the skill asks for unrelated credentials or system config paths.
Persistence & Privilege
The skill is not set to always:true and does not request persistent system-level changes. It writes a temporary file to /tmp and deletes it; no installation of persistent daemons or modification of other skills is indicated.
How to Use
- Make sure OpenClaw is installed (local or Docker)
- Run the install command in chat:
/install ta-radar - After installation, invoke the skill by name or use
/ta-radar - Provide required inputs per the skill's parameter spec and get structured output
Version History
v1.2.0
**Summary:**
Version 1.2.0 introduces major reliability and usability improvements.
- Gate.io added as an automatic fallback K-line price source if Binance is unavailable, ensuring uninterrupted access for all users.
- Beginner-friendly, plain-language explanations now included alongside each technical indicator in generated reports.
- Enhanced GFW/firewall compatibility for mainland China users via automatic API fallback and proxy use.
- No changes to usage or external dependencies—continues to be a zero-dependency Python skill.
Metadata
Frequently Asked Questions
What is TA Radar?
Multi-Dimensional Technical Analysis Radar for cryptocurrencies. Supports spot trading pairs (Binance/Gate.io) and on-chain contract addresses (via DexScreen... It is an AI Agent Skill for Claude Code / OpenClaw, with 72 downloads so far.
How do I install TA Radar?
Run "/install ta-radar" in the OpenClaw or Claude Code chat to install it in one step — no extra setup required.
Is TA Radar free?
Yes, TA Radar is completely free, licensed under MIT-0. You can download, install and use it at no cost.
Which platforms does TA Radar support?
TA Radar is cross-platform and runs anywhere OpenClaw / Claude Code is available (cross-platform).
Who created TA Radar?
It is built and maintained by deanpeng-dotcom (@deanpeng-dotcom); the current version is v1.2.0.
More Skills