← Back to Skills Marketplace
elmoyeldo

cTrader Commander

by Elmo · GitHub ↗ · v1.0.0
cross-platform ⚠ suspicious
449
Downloads
2
Stars
0
Active Installs
1
Versions
Install in OpenClaw
/install ctrader-commander
Description
Place and manage cTrader orders (market, limit, stop), check open positions, fetch live quotes and OHLC candles, and query account balance and equity via a l...
README (SKILL.md)

cTrader Commander

Use when the user wants to place trades, check positions or balance, get live prices, fetch candles, or manage orders on a cTrader account.

All calls go to http://localhost:9009 — credentials live in .env on the server, never passed by callers.

Proxy repo: https://github.com/LogicalSapien/ctrader-openapi-proxy Clone it, add your .env, and run make run to start the proxy before using this skill.

Full reference: {baseDir}/endpoints.md

Check proxy is running

curl -s "http://localhost:9009/get-data?command=ProtoOAVersionReq"

If it fails, start the proxy: cd ~/ctrader-openapi-proxy && make run

Find symbol IDs (do this first)

Symbol IDs are broker-specific — look them up before placing orders or fetching data:

curl -s "http://localhost:9009/get-data?command=ProtoOASymbolsListReq"

Returns symbol[] with symbolId and symbolName. Note the ID for your instrument.

Place a market order

curl -s -X POST http://localhost:9009/api/market-order \
  -H "Content-Type: application/json" \
  -d '{"symbolId": 158, "orderType": "MARKET", "tradeSide": "BUY", "volume": 1000}'

Volume is in units: 1000 = 0.01 lot · 10000 = 0.1 lot · 100000 = 1 lot. Add "relativeStopLoss": 200, "relativeTakeProfit": 350 (pips, market orders only).

Place a limit or stop order

curl -s -X POST http://localhost:9009/api/market-order \
  -H "Content-Type: application/json" \
  -d '{"symbolId": 158, "orderType": "LIMIT", "tradeSide": "BUY", "volume": 1000, "price": 0.62500}'

orderType: MARKET · LIMIT · STOPtradeSide: BUY · SELL

Get OHLC candles

NOW_MS=$(python3 -c "import time; print(int(time.time()*1000))")
FROM_MS=$(python3 -c "import time; print(int(time.time()*1000) - 3600000)")
curl -s -X POST http://localhost:9009/api/trendbars \
  -H "Content-Type: application/json" \
  -d "{\"fromTimestamp\": $FROM_MS, \"toTimestamp\": $NOW_MS, \"period\": \"M5\", \"symbolId\": 158}"

Periods: M1 M2 M3 M4 M5 M10 M15 M30 H1 H4 H12 D1 W1 MN1

Get live quote (tick data)

curl -s -X POST http://localhost:9009/api/live-quote \
  -H "Content-Type: application/json" \
  -d '{"symbolId": 158, "quoteType": "BID", "timeDeltaInSeconds": 60}'

quoteType: BID or ASK

Open positions and pending orders

curl -s "http://localhost:9009/get-data?command=ProtoOAReconcileReq"

Close a position

curl -s "http://localhost:9009/get-data?command=ClosePosition%20123456%201000"
# ClosePosition \x3CpositionId> \x3CvolumeInUnits>

Cancel a pending order

curl -s "http://localhost:9009/get-data?command=CancelOrder%20789"

Account info (balance, equity, leverage)

curl -s "http://localhost:9009/get-data?command=ProtoOATraderReq"

A local HTTP proxy (localhost:9009) that wraps the cTrader OpenAPI Protobuf connection and exposes it as a REST API. No credentials are passed at call time — they are loaded from .env on the server.

Full endpoint reference: {baseDir}/endpoints.md Python usage examples: {baseDir}/examples.md

Prerequisites

The proxy must be running before any call. If unsure, check:

curl -s "http://localhost:9009/get-data?command=ProtoOAVersionReq"

If it returns JSON, the proxy is up. If it fails, start it:

cd ~/ctrader-openapi-proxy && make run

IMPORTANT: Symbol IDs are broker-specific

Always look up the symbol ID before placing orders or fetching candle/tick data. Symbol IDs differ between brokers and between demo and live accounts.

curl -s "http://localhost:9009/get-data?command=ProtoOASymbolsListReq"

Response contains symbol[] with symbolId and symbolName. Find your instrument and note its symbolId.

Endpoints

Get OHLC Candles

POST /api/trendbars

{
  "fromTimestamp": 1700000000000,
  "toTimestamp":   1700086400000,
  "period":        "M5",
  "symbolId":      158
}

period options: M1 M2 M3 M4 M5 M10 M15 M30 H1 H4 H12 D1 W1 MN1

For current time in ms (macOS):

NOW_MS=$(python3 -c "import time; print(int(time.time()*1000))")
FROM_MS=$(python3 -c "import time; print(int(time.time()*1000) - 3600000)")

Get Live Quote / Tick Data

POST /api/live-quote

{
  "symbolId":           158,
  "quoteType":          "BID",
  "timeDeltaInSeconds": 60
}

quoteType: "BID" or "ASK"

Place a Market / Limit / Stop Order

POST /api/market-order

{
  "symbolId":           158,
  "orderType":          "MARKET",
  "tradeSide":          "BUY",
  "volume":             1000,
  "comment":            "my trade",
  "relativeStopLoss":   200,
  "relativeTakeProfit": 350
}

orderType values: "MARKET" "LIMIT" "STOP"
tradeSide values: "BUY" "SELL"

For LIMIT and STOP orders, include "price": 0.62500.
relativeStopLoss / relativeTakeProfit are in pips and apply to MARKET orders only.

Volume units (NOT lots):

volume Lots Notes
1000 0.01 Micro lot — typical minimum
10000 0.1 Mini lot
100000 1 Standard lot

Get Open Positions and Pending Orders

GET /get-data?command=ProtoOAReconcileReq

Returns position[] and order[]. Each position has positionId, symbolId, tradeSide, volume, price.

Close an Open Position

GET /get-data?command=ClosePosition \x3CpositionId> \x3CvolumeInUnits>

Example — close position 123456 with 1000 units (0.01 lot):

curl -s "http://localhost:9009/get-data?command=ClosePosition%20123456%201000"

Cancel a Pending Order

GET /get-data?command=CancelOrder \x3CorderId>

curl -s "http://localhost:9009/get-data?command=CancelOrder%20789"

Set Active Account (optional)

Account is auto-authorised from .env on startup. Only call this to switch accounts at runtime:

curl -s -X POST http://localhost:9009/api/set-account

To switch to a different account pass {"accountId": 12345678} as JSON body.

Generic Command Passthrough

Any cTrader API command can be called via:

GET /get-data?command=COMMAND_NAME arg1 arg2

No token required — credentials are read from .env on the server.

Full list of supported commands: {baseDir}/endpoints.md

Workflow: first trade

  1. Look up your symbol ID: 
    curl -s "http://localhost:9009/get-data?command=ProtoOASymbolsListReq" | python3 -c "
import sys, json
data = json.load(sys.stdin)
[print(s['symbolId'], s['symbolName']) for s in data.get('symbol', []) if 'EURUSD' in s['symbolName']]
"
  2. Check your account details: 
    curl -s "http://localhost:9009/get-data?command=ProtoOATraderReq"
  3. Place a market buy: 
    curl -s -X POST http://localhost:9009/api/market-order \
  -H "Content-Type: application/json" \
  -d '{"symbolId": 1, "orderType": "MARKET", "tradeSide": "BUY", "volume": 1000}'
  4. Check open positions: 
    curl -s "http://localhost:9009/get-data?command=ProtoOAReconcileReq"
Usage Guidance
This skill is coherent: it issues curl calls to a local proxy which performs the real cTrader OpenAPI work. Before installing/using it: (1) Review and trust the GitHub proxy repo (LogicalSapien/ctrader-openapi-proxy) before cloning and running it; (2) run the proxy on a machine you control (or in an isolated/container environment) because the proxy's .env will contain trading credentials with power to place/cancel trades; (3) protect .env (file permissions, never expose the proxy to public network interfaces); (4) ensure required local tools are present (curl is declared, but the docs also use python3, git, and make); (5) consider restricting autonomous agent invocation if you do not want an agent to place trades without explicit confirmation. If you cannot review or trust the proxy code, do not run it with live credentials.
Capability Analysis
Type: OpenClaw Skill Name: ctrader-commander Version: 1.0.0 The skill is classified as suspicious due to high-risk capabilities, specifically the instruction for the agent to execute `cd ~/ctrader-openapi-proxy && make run` in `SKILL.md`. This command delegates significant control to an external `Makefile` and allows arbitrary local command execution. Additionally, the `curl` commands targeting `http://localhost:9009/get-data?command=...` in `SKILL.md` and `endpoints.md` present a shell injection vulnerability pattern. If the agent constructs the `command` parameter from unsanitized user input, it could lead to arbitrary command execution within the `curl` context. While the stated purpose of the skill is benign (interacting with a local trading proxy), these capabilities introduce significant security risks without clear malicious intent within the skill bundle itself.
Capability Assessment
Purpose & Capability
Name and description match the runtime instructions: all API calls target a local cTrader proxy (http://localhost:9009) and are appropriate for placing orders, fetching quotes/candles, and querying account state.
Instruction Scope
Instructions stay within the stated purpose (local REST calls to the proxy). However the SKILL.md tells users to clone/run the proxy repo and uses commands that assume tools not declared in metadata (python3 for timestamps, make/git to run the proxy). The skill also relies on credentials stored in the proxy's .env file (on the machine running the proxy) — callers never receive tokens, but the proxy will have them.
Install Mechanism
The skill is instruction-only (no automatic install). That lowers direct risk, but the user is explicitly told to clone and run a third‑party GitHub repo (logicalSapien/ctrader-openapi-proxy). Running that code installs/executes external software on your machine; the repo appears to be the expected source, but you should audit or trust it before running.
Credentials
The skill itself requests no environment variables, which is consistent with the model that credentials remain on the proxy. That said, the proxy requires a .env containing cTrader credentials (CTRADER_ACCOUNTID / access tokens) on the server — storing live trading credentials there is high‑privilege and should be treated carefully. Also the SKILL.md uses python3 though the declared required binaries list only curl.
Persistence & Privilege
always:false and no install spec mean the skill does not demand permanent inclusion or special platform privileges. The primary risk is that the proxy you run will have persistent access to trading credentials and can execute trades on your account — which is expected for a trading proxy but should be managed.
How to Use
  1. Make sure OpenClaw is installed (local or Docker)
  2. Run the install command in chat: /install ctrader-commander
  3. After installation, invoke the skill by name or use /ctrader-commander
  4. Provide required inputs per the skill's parameter spec and get structured output
Version History
v1.0.0
Initial release. Place market, limit, and stop orders on cTrader via a local HTTP proxy. Supports live quotes, OHLC candles, open positions, close position, cancel order, and account info. No credentials passed at call time — all auth from server .env.
Metadata
Slug ctrader-commander
Version 1.0.0
License
All-time Installs 0
Active Installs 0
Total Versions 1
Frequently Asked Questions

What is cTrader Commander?

Place and manage cTrader orders (market, limit, stop), check open positions, fetch live quotes and OHLC candles, and query account balance and equity via a l... It is an AI Agent Skill for Claude Code / OpenClaw, with 449 downloads so far.

How do I install cTrader Commander?

Run "/install ctrader-commander" in the OpenClaw or Claude Code chat to install it in one step — no extra setup required.

Is cTrader Commander free?

Yes, cTrader Commander is completely free (open-source). You can download, install and use it at no cost.

Which platforms does cTrader Commander support?

cTrader Commander is cross-platform and runs anywhere OpenClaw / Claude Code is available (cross-platform).

Who created cTrader Commander?

It is built and maintained by Elmo (@elmoyeldo); the current version is v1.0.0.

More Skills
self-improving agent
Captures learnings, errors, and corrections to enable continuous improvement. Use when: (1) A command or operation fails unexpectedly, (2) User corrects Clau...
⬇ 463283 · by pskoett
Skill Vetter
Security-first skill vetting for AI agents. Use before installing any skill from ClawdHub, GitHub, or other sources. Checks for red flags, permission scope, and suspicious patterns.
⬇ 259410 · by spclaudehome
Polymarket
Query Polymarket prediction markets. Check odds, find trending markets, search events, track price movements.
⬇ 232503 · by joelchance
Self-Improving + Proactive Agent
Self-reflection + Self-criticism + Self-learning + Self-organizing memory. Agent evaluates its own work, catches mistakes, and improves permanently. Use when...
⬇ 200423 · by ivangdavila
Github
Interact with GitHub using the `gh` CLI. Use `gh issue`, `gh pr`, `gh run`, and `gh api` for issues, PRs, CI runs, and advanced queries.
⬇ 191115 · by steipete
ontology
Typed knowledge graph for structured agent memory and composable skills. Use when creating/querying entities (Person, Project, Task, Event, Document), linkin...
⬇ 190156 · by oswalpalash

💬 Comments