功能描述

Place and manage cTrader orders (market, limit, stop), check open positions, fetch live quotes and OHLC candles, and query account balance and equity via a l...

使用说明 (SKILL.md)

cTrader Commander

Name: cTrader Commander
Author: elmoyeldo

Use when the user wants to place trades, check positions or balance, get live prices, fetch candles, or manage orders on a cTrader account.

All calls go to http://localhost:9009 — credentials live in .env on the server, never passed by callers.

Proxy repo: https://github.com/LogicalSapien/ctrader-openapi-proxy Clone it, add your .env, and run make run to start the proxy before using this skill.

Full reference: {baseDir}/endpoints.md

Check proxy is running

curl -s "http://localhost:9009/get-data?command=ProtoOAVersionReq"

If it fails, start the proxy: cd ~/ctrader-openapi-proxy && make run

Find symbol IDs (do this first)

Symbol IDs are broker-specific — look them up before placing orders or fetching data:

curl -s "http://localhost:9009/get-data?command=ProtoOASymbolsListReq"

Returns symbol[] with symbolId and symbolName. Note the ID for your instrument.

Place a market order

curl -s -X POST http://localhost:9009/api/market-order \
  -H "Content-Type: application/json" \
  -d '{"symbolId": 158, "orderType": "MARKET", "tradeSide": "BUY", "volume": 1000}'

Volume is in units: 1000 = 0.01 lot · 10000 = 0.1 lot · 100000 = 1 lot. Add "relativeStopLoss": 200, "relativeTakeProfit": 350 (pips, market orders only).

Place a limit or stop order

curl -s -X POST http://localhost:9009/api/market-order \
  -H "Content-Type: application/json" \
  -d '{"symbolId": 158, "orderType": "LIMIT", "tradeSide": "BUY", "volume": 1000, "price": 0.62500}'

orderType: MARKET · LIMIT · STOP — tradeSide: BUY · SELL

Get OHLC candles

NOW_MS=$(python3 -c "import time; print(int(time.time()*1000))")
FROM_MS=$(python3 -c "import time; print(int(time.time()*1000) - 3600000)")
curl -s -X POST http://localhost:9009/api/trendbars \
  -H "Content-Type: application/json" \
  -d "{\"fromTimestamp\": $FROM_MS, \"toTimestamp\": $NOW_MS, \"period\": \"M5\", \"symbolId\": 158}"

Periods: M1 M2 M3 M4 M5 M10 M15 M30 H1 H4 H12 D1 W1 MN1

Get live quote (tick data)

curl -s -X POST http://localhost:9009/api/live-quote \
  -H "Content-Type: application/json" \
  -d '{"symbolId": 158, "quoteType": "BID", "timeDeltaInSeconds": 60}'

quoteType: BID or ASK

Open positions and pending orders

curl -s "http://localhost:9009/get-data?command=ProtoOAReconcileReq"

Close a position

curl -s "http://localhost:9009/get-data?command=ClosePosition%20123456%201000"
# ClosePosition \x3CpositionId> \x3CvolumeInUnits>

Cancel a pending order

curl -s "http://localhost:9009/get-data?command=CancelOrder%20789"

Account info (balance, equity, leverage)

curl -s "http://localhost:9009/get-data?command=ProtoOATraderReq"

A local HTTP proxy (localhost:9009) that wraps the cTrader OpenAPI Protobuf connection and exposes it as a REST API. No credentials are passed at call time — they are loaded from .env on the server.

Full endpoint reference: {baseDir}/endpoints.md Python usage examples: {baseDir}/examples.md

Prerequisites

The proxy must be running before any call. If unsure, check:

curl -s "http://localhost:9009/get-data?command=ProtoOAVersionReq"

If it returns JSON, the proxy is up. If it fails, start it:

cd ~/ctrader-openapi-proxy && make run

IMPORTANT: Symbol IDs are broker-specific

Always look up the symbol ID before placing orders or fetching candle/tick data. Symbol IDs differ between brokers and between demo and live accounts.

curl -s "http://localhost:9009/get-data?command=ProtoOASymbolsListReq"

Response contains symbol[] with symbolId and symbolName. Find your instrument and note its symbolId.

Endpoints

Get OHLC Candles

POST /api/trendbars

{
  "fromTimestamp": 1700000000000,
  "toTimestamp":   1700086400000,
  "period":        "M5",
  "symbolId":      158
}

period options: M1 M2 M3 M4 M5 M10 M15 M30 H1 H4 H12 D1 W1 MN1

For current time in ms (macOS):

NOW_MS=$(python3 -c "import time; print(int(time.time()*1000))")
FROM_MS=$(python3 -c "import time; print(int(time.time()*1000) - 3600000)")

Get Live Quote / Tick Data

POST /api/live-quote

{
  "symbolId":           158,
  "quoteType":          "BID",
  "timeDeltaInSeconds": 60
}

quoteType: "BID" or "ASK"

Place a Market / Limit / Stop Order

POST /api/market-order

{
  "symbolId":           158,
  "orderType":          "MARKET",
  "tradeSide":          "BUY",
  "volume":             1000,
  "comment":            "my trade",
  "relativeStopLoss":   200,
  "relativeTakeProfit": 350
}

orderType values: "MARKET" "LIMIT" "STOP"
tradeSide values: "BUY" "SELL"

For LIMIT and STOP orders, include "price": 0.62500.
relativeStopLoss / relativeTakeProfit are in pips and apply to MARKET orders only.

Volume units (NOT lots):

`volume`	Lots	Notes
`1000`	0.01	Micro lot — typical minimum
`10000`	0.1	Mini lot
`100000`	1	Standard lot

Get Open Positions and Pending Orders

GET /get-data?command=ProtoOAReconcileReq

Returns position[] and order[]. Each position has positionId, symbolId, tradeSide, volume, price.

Close an Open Position

GET /get-data?command=ClosePosition \x3CpositionId> \x3CvolumeInUnits>

Example — close position 123456 with 1000 units (0.01 lot):

curl -s "http://localhost:9009/get-data?command=ClosePosition%20123456%201000"

Cancel a Pending Order

GET /get-data?command=CancelOrder \x3CorderId>

curl -s "http://localhost:9009/get-data?command=CancelOrder%20789"

Set Active Account (optional)

Account is auto-authorised from .env on startup. Only call this to switch accounts at runtime:

curl -s -X POST http://localhost:9009/api/set-account

To switch to a different account pass {"accountId": 12345678} as JSON body.

Generic Command Passthrough

Any cTrader API command can be called via:

GET /get-data?command=COMMAND_NAME arg1 arg2

No token required — credentials are read from .env on the server.

Full list of supported commands: {baseDir}/endpoints.md

Workflow: first trade

Look up your symbol ID:

curl -s "http://localhost:9009/get-data?command=ProtoOASymbolsListReq" | python3 -c "
import sys, json
data = json.load(sys.stdin)
[print(s['symbolId'], s['symbolName']) for s in data.get('symbol', []) if 'EURUSD' in s['symbolName']]
"

Check your account details:

curl -s "http://localhost:9009/get-data?command=ProtoOATraderReq"

Place a market buy:

curl -s -X POST http://localhost:9009/api/market-order \
  -H "Content-Type: application/json" \
  -d '{"symbolId": 1, "orderType": "MARKET", "tradeSide": "BUY", "volume": 1000}'

Check open positions:

curl -s "http://localhost:9009/get-data?command=ProtoOAReconcileReq"

安全使用建议

This skill is coherent: it issues curl calls to a local proxy which performs the real cTrader OpenAPI work. Before installing/using it: (1) Review and trust the GitHub proxy repo (LogicalSapien/ctrader-openapi-proxy) before cloning and running it; (2) run the proxy on a machine you control (or in an isolated/container environment) because the proxy's .env will contain trading credentials with power to place/cancel trades; (3) protect .env (file permissions, never expose the proxy to public network interfaces); (4) ensure required local tools are present (curl is declared, but the docs also use python3, git, and make); (5) consider restricting autonomous agent invocation if you do not want an agent to place trades without explicit confirmation. If you cannot review or trust the proxy code, do not run it with live credentials.

功能分析

Type: OpenClaw Skill Name: ctrader-commander Version: 1.0.0 The skill is classified as suspicious due to high-risk capabilities, specifically the instruction for the agent to execute `cd ~/ctrader-openapi-proxy && make run` in `SKILL.md`. This command delegates significant control to an external `Makefile` and allows arbitrary local command execution. Additionally, the `curl` commands targeting `http://localhost:9009/get-data?command=...` in `SKILL.md` and `endpoints.md` present a shell injection vulnerability pattern. If the agent constructs the `command` parameter from unsanitized user input, it could lead to arbitrary command execution within the `curl` context. While the stated purpose of the skill is benign (interacting with a local trading proxy), these capabilities introduce significant security risks without clear malicious intent within the skill bundle itself.

能力评估

✓ Purpose & Capability

Name and description match the runtime instructions: all API calls target a local cTrader proxy (http://localhost:9009) and are appropriate for placing orders, fetching quotes/candles, and querying account state.

ℹ Instruction Scope

Instructions stay within the stated purpose (local REST calls to the proxy). However the SKILL.md tells users to clone/run the proxy repo and uses commands that assume tools not declared in metadata (python3 for timestamps, make/git to run the proxy). The skill also relies on credentials stored in the proxy's .env file (on the machine running the proxy) — callers never receive tokens, but the proxy will have them.

ℹ Install Mechanism

The skill is instruction-only (no automatic install). That lowers direct risk, but the user is explicitly told to clone and run a third‑party GitHub repo (logicalSapien/ctrader-openapi-proxy). Running that code installs/executes external software on your machine; the repo appears to be the expected source, but you should audit or trust it before running.

ℹ Credentials

The skill itself requests no environment variables, which is consistent with the model that credentials remain on the proxy. That said, the proxy requires a .env containing cTrader credentials (CTRADER_ACCOUNTID / access tokens) on the server — storing live trading credentials there is high‑privilege and should be treated carefully. Also the SKILL.md uses python3 though the declared required binaries list only curl.

✓ Persistence & Privilege

always:false and no install spec mean the skill does not demand permanent inclusion or special platform privileges. The primary risk is that the proxy you run will have persistent access to trading credentials and can execute trades on your account — which is expected for a trading proxy but should be managed.

版本历史

v1.0.0

Initial release. Place market, limit, and stop orders on cTrader via a local HTTP proxy. Supports live quotes, OHLC candles, open positions, close position, cancel order, and account info. No credentials passed at call time — all auth from server .env.

元数据

Slug ctrader-commander

版本 1.0.0

许可证 —

累计安装 0

当前安装数 0

历史版本数 1

常见问题