← Back to Skills Marketplace
273
Downloads
0
Stars
0
Active Installs
1
Versions
Install in OpenClaw
/install toobit
Description
Trade crypto on Toobit exchange via natural language. Spot & USDT-M futures trading, market data queries, wallet management. Use when user mentions Toobit, o...
Usage Guidance
This skill appears to be a legitimate Toobit API adapter, but the package metadata is missing declarations for the API key/secret and needed binaries (curl/openssl/awk). Before installing: (1) only provide API credentials with the minimal permissions required (create a key that disables withdrawals and restricts trading if you only need read or trade functions); (2) verify the skill owner/source (homepage is missing) and consider trusting only well-known authors; (3) confirm the agent actually prompts for and requires explicit, user-driven confirmation for any write or withdraw actions (don't rely solely on the SKILL.md wording); (4) prefer creating and using scoped keys or a read-only key for market queries; (5) treat environment variables with secrets carefully (set them in a secure location, avoid sharing them with untrusted agents). The main red flag is the metadata omission of sensitive env vars — that inconsistency is why this is suspicious rather than benign.
Capability Analysis
Type: OpenClaw Skill
Name: toobit
Version: 1.0.0
The skill bundle provides a legitimate interface for interacting with the Toobit cryptocurrency exchange. It includes comprehensive instructions for market data, trading, and account management, while explicitly defining safety protocols such as requiring user confirmation for orders and high-risk operations like withdrawals. No evidence of data exfiltration, malicious execution, or prompt injection was found in SKILL.md or _meta.json.
Capability Assessment
Purpose & Capability
The SKILL.md describes a Toobit trading assistant (market queries, spot/futures trading, wallet management) and the instructions show exactly the API endpoints you would expect. Requesting an API key and secret for signed calls is coherent with the described purpose. However, the registry metadata declares no required environment variables or binaries even though the runtime instructions require TOOBIT_API_KEY and TOOBIT_API_SECRET and call out curl/openssl/awk usage — this omission is an inconsistency.
Instruction Scope
The SKILL.md confines actions to Toobit API calls and separates read-only, write, and high-risk (withdraw) operations. It prescribes showing parameters and prompting for confirmation before write/high-risk actions. It does not instruct reading unrelated files or exfiltrating arbitrary system data.
Install Mechanism
This is an instruction-only skill with no install spec and no code files, so nothing is downloaded or written to disk. That reduces supply-chain risk.
Credentials
The SKILL.md explicitly relies on two sensitive environment variables (TOOBIT_API_KEY and TOOBIT_API_SECRET) for signing requests, but the skill's registry metadata lists no required env vars or primary credential. Also the instructions assume availability of curl, openssl, and awk but the metadata lists no required binaries. Requiring full API key/secret is appropriate for trading, but the metadata omission and lack of guidance about recommended key permission scopes (for example, recommending disabling withdrawals) are concerning because a provided secret could enable withdrawals or full account control if misused.
Persistence & Privilege
The skill is not always-enabled and does not request elevated/persistent platform privileges. However, because it enables signed trading and withdrawal calls, users must be careful: autonomous agent invocation (the platform default) combined with a high-permission API key increases risk if confirmation enforcement is imperfect. The SKILL.md requires confirmations, but enforcement depends on the agent implementation and user review.
How to Use
- Make sure OpenClaw is installed (local or Docker)
- Run the install command in chat:
/install toobit - After installation, invoke the skill by name or use
/toobit - Provide required inputs per the skill's parameter spec and get structured output
Version History
v1.0.0
- Initial release of the toobit skill.
- Added basic skill description and setup.
Metadata
Frequently Asked Questions
What is Toobit Trading?
Trade crypto on Toobit exchange via natural language. Spot & USDT-M futures trading, market data queries, wallet management. Use when user mentions Toobit, o... It is an AI Agent Skill for Claude Code / OpenClaw, with 273 downloads so far.
How do I install Toobit Trading?
Run "/install toobit" in the OpenClaw or Claude Code chat to install it in one step — no extra setup required.
Is Toobit Trading free?
Yes, Toobit Trading is completely free, licensed under MIT-0. You can download, install and use it at no cost.
Which platforms does Toobit Trading support?
Toobit Trading is cross-platform and runs anywhere OpenClaw / Claude Code is available (cross-platform).
Who created Toobit Trading?
It is built and maintained by xizhen (@xuxizhen); the current version is v1.0.0.
More Skills