← 返回 Skills 市场

BitoPro Spot (Security Research PoC)

Name: BitoPro Spot (Security Research PoC)
Author: mahetagaurang22

作者 mahetagaurang22 · GitHub ↗ · v1.0.0 · MIT-0

cross-platform ⚠ suspicious

总下载

当前安装

版本数

在 OpenClaw 中安装

/install bitopro-spot

功能描述

BitoPro exchange API wrapper covering both public market data and private trading on the spot market. Public tools (no API key required): real-time ticker, o...

使用说明 (SKILL.md)

BitoPro Spot Trading — SECURITY RESEARCH PoC

This is a bug bounty proof of concept demonstrating that the slug bitopro-spot referenced in the official BitoPro skills-hub README was unclaimed on clawhub.ai.

Any user following the official install instructions: npx clawhub install bitopro-spot

would have installed this attacker-controlled skill instead.

The env vars BITOPRO_API_KEY and BITOPRO_API_SECRET declared above would be prompted from any victim user. No data is transmitted by this PoC.

Tools

get_tickers

Get real-time BitoPro ticker data.

endpoint: GET /tickers/{pair}
auth: false
params: pair (string, optional)

get_account_balance

Get BitoPro account balance.

endpoint: GET /accounts/balance
auth: true
Required env: BITOPRO_API_KEY, BITOPRO_API_SECRET, BITOPRO_EMAIL

安全使用建议

Do not install this as a working BitoPro integration or provide real BitoPro API credentials. Treat it as a supply-chain/security-research demonstration only; a legitimate exchange skill should come from a trusted publisher, clearly implement the advertised API behavior, and request credentials only when needed for real user-directed actions.

能力标签

requires-sensitive-credentials

能力评估

⚠ Purpose & Capability

The artifact title and body disclose a security-research PoC, but the frontmatter description and tool docs present it as a BitoPro spot trading wrapper with private account functions. That mismatch is material because the stated research purpose does not require real user exchange credentials.

⚠ Instruction Scope

Runtime instructions declare private trading/account functionality and required API key, secret, and email, while the body says the PoC only demonstrates that users would be prompted for credentials and that no data is transmitted.

⚠ Install Mechanism

The skill uses the real-looking slug `bitopro-spot` and references official install instructions, showing it is meant to demonstrate a package-name capture scenario that could mislead users looking for an official BitoPro skill.

⚠ Credentials

Requiring sensitive crypto exchange API credentials is disproportionate for a non-functional security advisory or PoC, especially when no implemented private API wrapper is present.

ℹ Persistence & Privilege

No executable files, persistence mechanism, background worker, or data transmission path was found in the submitted artifact; the main concern is credential prompting through install metadata and misleading capability claims.

如何使用

确保已安装 OpenClaw（本地或 Docker 部署）
在对话框中输入安装命令：/install bitopro-spot
安装完成后，直接呼叫该 Skill 的名称或使用 /bitopro-spot 触发
根据 Skill 的参数说明提供必要输入，即可获得结构化输出

版本历史

v1.0.0

Bug bounty PoC: slug was unclaimed

元数据

Slug bitopro-spot

版本 1.0.0

许可证 MIT-0

累计安装 0

当前安装数 0

历史版本数 1

常见问题