OpenMM Exchange Setup

Step-by-step guide to configure exchange API credentials for OpenMM.

This skill is coherent for configuring OpenMM exchange credentials, but take these precautions before installing or using it: 1) Verify the npm package publisher and inspect the package (or its repository) before installing globally; do not blindly trust a scoped package without checking its source. 2) Prefer storing keys in a secure secret manager or environment variables rather than embedding them in JSON config files; never commit files containing keys. 3) Use least-privilege API keys (disable withdrawals, restrict to required permissions, and use IP whitelisting). 4) For troubleshooting commands that require privileges (e.g., 'sudo ntpdate'), prefer safer, documented time-sync methods for your OS and avoid running privileged commands without understanding them. 5) Test with low-value accounts/keys first and rotate keys after use. If you can provide the package repository or a link to the npm page for @3rd-eye-labs/openmm, I can raise or lower my confidence and re-evaluate the install risk.

Type: OpenClaw Skill Name: openmm-exchange-setup Version: 0.1.0 The skill guides users through configuring API credentials for cryptocurrency exchanges, which inherently involves handling sensitive information. It instructs the agent to install and run external npm packages via `npx` (`@3rd-eye-labs/openmm`, `@qbtlabs/openmm-mcp`), introducing a supply chain risk. More critically, the `SKILL.md` includes a troubleshooting step (`sudo ntpdate time.google.com`) that involves executing a `sudo` command. While the command itself is for a legitimate purpose (system clock synchronization), its presence in an agent-executed markdown file represents a potential privilege escalation or arbitrary command execution vulnerability if the agent executes `sudo` commands without explicit user consent or proper sandboxing. There is no clear evidence of intentional malicious behavior like data exfiltration or backdoors.