← 返回 Skills 市场

AI News BNB Trader

Name: AI News BNB Trader
Author: happyrstudent

作者 happyRstudent · GitHub ↗ · v0.1.0

cross-platform ⚠ suspicious

283

总下载

当前安装

版本数

在 OpenClaw 中安装

/install ai-news-bnb-trader

功能描述

TypeScript (Node.js 20+) AI news-driven BNB strategy trading bot for BSC. Use when user wants event/news sentiment signals, strict risk controls, and automat...

使用说明 (SKILL.md)

AI News BNB Trader

Run an event-driven BSC trading bot using news sentiment + risk gates.

Safety first

Default DRY_RUN=true.
Never print private key/seed in logs.
Only whitelist assets (WBNB, USDT/BUSD/USDC).
Panic mode immediately disables trading.

Commands

npm run start -- start
npm run start -- status
npm run start -- panic
npm run start -- revoke-approvals
npm run key:encrypt -- --out ./secrets/key.json

News modes

Poll REST via NEWS_API_URL every NEWS_POLL_SECONDS
Optional WebSocket via NEWS_WS_URL

Both modes dedupe on news.id and log failures with exponential backoff.

Signal models

RuleSignalModel (default): keyword rules with explainable reasons
OpenAISignalModel (optional): enabled when OPENAI_API_KEY is set; timeout + fallback to rules

Strategy

Buy WBNB with stablecoin if sentiment * impact >= BUY_THRESHOLD and confidence >= MIN_CONF
Sell WBNB to stablecoin if sentiment * impact \x3C= -SELL_THRESHOLD and confidence >= MIN_CONF
Enforce all risk gates before execution

Risk controls

Max order notional / max position pct / daily trade cap
Daily loss cap (MTM approximation)
TP/SL from avg entry
Cooldown between trades
Slippage cap from quote
Consecutive failures -> SAFE_MODE

Notes

Prefer private RPC (PRIVATE_RPC_URL) when provided.
For production: validate token/DEX addresses and add deeper MEV defenses.

安全使用建议

This repository contains a real trading bot that will perform on-chain swaps and can revoke approvals — it legitimately needs a wallet private key (or an encrypted key + passphrase), RPC endpoints, and optional API keys (OpenAI, 1inch). The registry metadata omits these required env vars, which is a red flag: before running, review the code locally, and follow these precautions: - Do not supply your main/large-balance wallet private key. Use a fresh wallet with minimal funds for testing. - Keep DRY_RUN=true while evaluating; verify behavior in dry-run mode and inspect logs and saved state-data before enabling real trades. - Inspect NEWS_API_URL and NEWS_WS_URL sources to ensure they are trusted (the bot executes trades based on that feed). - If using the encrypt CLI, the code uses AES-256-GCM + scrypt; verify encryption/decryption locally and ensure KEY_PASSPHRASE is handled securely. Note the logger redacts some envs but not KEY_PASSPHRASE or RPC secrets — avoid putting passphrases into logs or shared environments. - Audit and limit RPC and DEX API credentials; prefer a private RPC provider and restrict API keys to minimal scopes where possible. - Consider running in an isolated environment (container, VM) and reviewing the package.json dependencies with npm audit before install. Because the metadata is inconsistent and this code can move funds, treat this as suspicious until you perform the above checks and validate all configuration and endpoints.

功能分析

Type: OpenClaw Skill Name: ai-news-bnb-trader Version: 0.1.0 The skill is a legitimate news-driven trading bot for the Binance Smart Chain (BSC) with a focus on safety and risk management. It includes security-conscious features such as a log redactor to prevent leaking private keys or API tokens (src/utils/logger.ts), an AES-256-GCM encryption utility for local key storage (src/wallet/key-manager.ts), and a dedicated risk manager that enforces daily loss caps and position limits (src/risk/risk-manager.ts). The code logic is transparent, follows the stated purpose in SKILL.md, and contains no evidence of data exfiltration, malicious execution, or prompt injection.

能力评估

⚠ Purpose & Capability

The skill claims to be a TypeScript/node BNB trading bot — the source code matches that purpose (news fetcher, signal models, risk gates, DEX integration). However the published metadata / registry entries say 'Required env vars: none' and 'No install spec / instruction-only' while the bundle contains full source and expects sensitive env vars (EVM_PRIVATE_KEY or ENCRYPTED_KEY_PATH + KEY_PASSPHRASE, OPENAI_API_KEY, ONEINCH_API_KEY, RPC URLs, NEWS_API_URL). That metadata omission is an incoherence (sensitive credentials are required for the claimed functionality).

✓ Instruction Scope

SKILL.md and the CLI commands match the code's runtime behavior (start/status/panic/revoke-approvals, key encryption). The instructions request news endpoints, RPCs, and key material which the code consumes. The runtime instructions do not appear to request unrelated system data, but they do direct the agent to perform network calls and on-chain transactions (swap, revoke approvals) when not in dry-run.

ℹ Install Mechanism

There is no explicit install spec in the registry (instruction-only), but the package includes package.json and package-lock.json so npm install is required. Dependencies are standard (dotenv, ethers, dev tooling). No remote arbitrary downloads or obscure install URLs are present; risk here is typical for an npm package.

⚠ Credentials

The code requires highly sensitive secrets to operate: an EVM private key (or encrypted key + passphrase), RPC URLs (PRIVATE_RPC_URL or RPC_URL), and optional API keys (OPENAI_API_KEY, ONEINCH_API_KEY). Those credentials are proportionate to a trading bot, but the registry metadata does not declare them. Also logger redacts only some envs (EVM_PRIVATE_KEY, OPENAI_API_KEY, ONEINCH_API_KEY) but not KEY_PASSPHRASE or RPC auth tokens — potential leakage points. The skill should have declared required env vars in metadata and documented minimal-permission recommendations.

✓ Persistence & Privilege

The skill does not request always:true, does not modify other skills, and only writes to its own state directory (state-data) and to an encrypted key file if the CLI is used. It will persist its bot-state and optionally an encrypted key file; it will also send transactions that can move funds. Autonomous invocation (default) is present but expected for a skill of this type.

如何使用

确保已安装 OpenClaw（本地或 Docker 部署）
在对话框中输入安装命令：/install ai-news-bnb-trader
安装完成后，直接呼叫该 Skill 的名称或使用 /ai-news-bnb-trader 触发
根据 Skill 的参数说明提供必要输入，即可获得结构化输出

版本历史

v0.1.0

Initial release

元数据

Slug ai-news-bnb-trader

版本 0.1.0

许可证 —

累计安装 0

当前安装数 0

历史版本数 1

常见问题