← 返回 Skills 市场
Trade Memory
作者
Indra Riswana
· GitHub ↗
· v1.0.0
587
总下载
0
收藏
0
当前安装
1
版本数
在 OpenClaw 中安装
/install trade-memory
功能描述
Save a trade or signal event to local memory log file (trades.jsonl). Use when a trade signal is confirmed and needs to be recorded, saved, or logged for fut...
安全使用建议
Do not install or run this skill until you verify where save.py comes from. The SKILL.md expects a local Python file at ~/.npm-global/lib/node_modules/openclaw/skills/trade-memory/save.py and will append to /home/windows_11/.openclaw/polymarket-workspace/trades.jsonl, but the skill package provides no code or installer. Actions to take before use:
- Inspect the actual save.py that would be executed (open its source) and confirm its contents and origin.
- If you maintain the file, prefer packaging the script with the skill or provide an explicit install step rather than relying on an arbitrary npm-global path.
- If you don't control the host path, refuse installation or run in a sandbox until provenance is confirmed.
- Consider modifying the skill to write to a configurable, documented path and to include the script inline in the skill bundle so behavior is auditable.
- Treat the 'always run the script — never simulate' instruction as an extra risk: ensure the script is safe before permitting autonomous execution.
功能分析
Type: OpenClaw Skill
Name: trade-memory
Version: 1.0.0
The `SKILL.md` file instructs the AI agent to execute a local Python script using user-provided JSON input (`python3 ... save.py '<JSON_INPUT>'`). This command structure is highly vulnerable to shell injection if the AI agent does not properly escape the `JSON_INPUT` string before embedding it within single quotes in the shell command. A malicious user could craft the JSON input to break out of the quotes and execute arbitrary commands on the host system. Additionally, the 'Guardrails' section contains a prompt injection instruction ('Always run the script — never simulate or fake a save confirmation') which attempts to override agent safety mechanisms, indicating a potential for agent manipulation.
能力评估
Purpose & Capability
The goal (persist trade events) reasonably needs a local script and python3, but the SKILL.md assumes a specific script exists at ~/.npm-global/lib/node_modules/openclaw/skills/trade-memory/save.py and writes to /home/windows_11/.openclaw/... — the skill bundle contains no code nor install instructions to create that script or ensure the file path exists, which is inconsistent.
Instruction Scope
Runtime instructions explicitly tell the agent to execute a local Python script with user-supplied JSON and to 'always run the script — never simulate.' They reference specific filesystem paths and create/write behavior. Because the script is not included, following the instructions could cause the agent to execute an unexpected local binary or fail; the directive to always execute increases risk if a malicious or replaced script exists at that path.
Install Mechanism
There is no install spec or code files. Yet the instructions rely on a script stored under an npm-global path. This is a packaging/integration mismatch: either the skill should include the save.py or provide an install step. The lack of an authoritative source for the script means the agent will rely on whatever is already on the host, which is unsafe/unreliable.
Credentials
The skill requests only python3 and no credentials, which is proportional to logging trades. However, it hardcodes user-specific filesystem locations (~ and /home/windows_11) without declaring config paths; this may lead to accidental access of unrelated files or failure on different hosts.
Persistence & Privilege
The skill does not request persistent/always-enabled privileges and is user-invocable. Still, because it instructs execution of a local script and creation/appending of files, verify the script's provenance before allowing the agent to run it autonomously.
如何使用
- 确保已安装 OpenClaw(本地或 Docker 部署)
- 在对话框中输入安装命令:
/install trade-memory - 安装完成后,直接呼叫该 Skill 的名称或使用
/trade-memory触发 - 根据 Skill 的参数说明提供必要输入,即可获得结构化输出
版本历史
v1.0.0
Initial release of trade-memory skill.
- Enables saving confirmed trade events or signals to a persistent local JSONL log file (trades.jsonl).
- Accepts and validates structured JSON trade data input, with auto-generated timestamp if missing.
- Safely appends each trade as one JSON line, auto-creating files/directories if needed.
- Returns a JSON confirmation on success or error on invalid input.
- Designed for easy integration with trade bots, agents, or manual logging.
元数据
常见问题
Trade Memory 是什么?
Save a trade or signal event to local memory log file (trades.jsonl). Use when a trade signal is confirmed and needs to be recorded, saved, or logged for fut... 它是一个面向 Claude Code / OpenClaw 的 AI Agent Skill 插件,目前累计下载 587 次。
如何安装 Trade Memory?
在 OpenClaw 或 Claude Code 对话框中运行命令「/install trade-memory」即可一键安装,无需额外配置。
Trade Memory 是免费的吗?
是的,Trade Memory 完全免费(开源免费),可自由下载、安装和使用。
Trade Memory 支持哪些平台?
Trade Memory 跨平台运行,可在任意部署了 OpenClaw / Claude Code 的环境中使用(cross-platform)。
谁开发了 Trade Memory?
由 Indra Riswana(@newbienodes)开发并维护,当前版本 v1.0.0。
推荐 Skills