← 返回 Skills 市场
TradingFlow — AI-Powered Intent Trading Across Crypto, Stocks & More
作者
Caesar Lynch
· GitHub ↗
· v0.0.2
· MIT-0
109
总下载
1
收藏
0
当前安装
2
版本数
在 OpenClaw 中安装
/install tradingflow
功能描述
Create and manage crypto trading strategies, deploy automated trading bots, and control on-chain vaults on BSC, Aptos, and Solana. Use when the user wants to...
安全使用建议
Key things to consider before installing or using this skill:
- Metadata mismatch: The skill registry lists no required credentials, but the SKILL.md and scripts require TRADINGCLAW_API_KEY and TRADINGCLAW_BASE_URL. Ask the publisher why registry metadata omits these and insist they be declared.
- Do not hand over private keys lightly: The skill's Mode 2 workflow asks you to generate and store an 'Oracle' private key (VAULT_ORACLE_KEY). Only do this if you fully trust the platform, have audited the service, and understand that this key can sign on-chain transactions (even if scoped by permissions). Prefer Mode 1 (manual approvals) whenever possible.
- Start with least privilege: If you test the skill, create an API key with minimal scope, grant agent permissions = 1 (SWAP only), and set conservative token spending limits. Use testnet or a small amount first.
- Verify endpoints & ownership: The SKILL.md uses tradingflow.fun and api.tradingflow.fun but the package source & homepage are listed as unknown/none. Confirm the service identity and ownership outside the skill (official website, GitHub org, independent reviews). Do not reuse high-privilege keys from other services.
- Watch webhooks: The documentation shows inbound webhook URLs 'No authentication required'. If you use webhooks, require HMAC secrets or limit sources to trusted IPs to avoid unauthenticated triggers.
- Validate contradictory instructions: The skill contains contradictory guidance around using GET /auth/me. Ask the maintainer to clarify the correct validation flow and update docs.
- Operational hygiene: Avoid placing API keys or private keys in global shell profile files. Use ephemeral environment variables, scoped secrets storage, and rotate keys after testing. Monitor process logs and secret accesses, and revoke roles immediately if behavior is unexpected.
If you cannot verify the publisher or fix the metadata inconsistencies, treat this skill as untrusted and do not provide real funds or private keys to it.
功能分析
Type: OpenClaw Skill
Name: tradingflow
Version: 0.0.2
The 'tradingflow' skill bundle is a comprehensive integration for a crypto trading platform, providing tools for strategy management, automated bot deployment, and on-chain vault operations (BSC, Aptos, Solana). While it handles sensitive operations like private key management (Oracle keys) and fund transfers, it incorporates robust security controls including AES-256-GCM encryption for secrets, mandatory browser-based approval flows for transactions, and a 'R&D Mode' safety gate for high-risk configurations. The instructions in SKILL.md are well-aligned with the stated purpose and explicitly direct the agent to follow security best practices, such as avoiding the logging of secrets and ensuring user approval for all on-chain actions.
能力评估
Purpose & Capability
Name and description match the included instructions (manage strategies, deploy bots, control vaults). However the registry metadata claims no required env vars or binaries while the SKILL.md and included scripts explicitly require TRADINGCLAW_API_KEY, TRADINGCLAW_BASE_URL, TRADINGCLAW_SITE_URL and tools like curl/jq/python/node. That mismatch between declared requirements and actual runtime needs is an incoherence and reduces trust in the package metadata.
Instruction Scope
The SKILL.md tells the agent to perform many high-sensitivity actions: validate API access, create strategies/processes, create and store secrets (VAULT_ORACLE_KEY), generate approval links and poll approval status, and guide users to set environment variables. This is broadly consistent with a trading platform, but the instructions contain contradictions (e.g., earlier 'Do NOT use GET /auth/me for validation' vs later 'Check GET /auth/me → data.user.rdMode.enabled') and grants the agent discretion to create persistent automated execution (Mode 2) and secrets. Webhook docs also show inbound URLs 'No authentication required' for inbound triggers — a notable operational/security risk if relied on without HMAC secrets.
Install Mechanism
No install spec (instruction-only) and included scripts are simple shell curl wrappers. There are no downloads from arbitrary URLs or package installs. This minimizes on-disk risk from the installer itself.
Credentials
The manifest claims no required environment variables, but the SKILL.md and scripts require TRADINGCLAW_API_KEY, TRADINGCLAW_BASE_URL, and optionally TRADINGCLAW_SITE_URL; other referenced runtime variables include TFP_SECRET_TOKEN, VAULT_ORACLE_KEY, BSC_RPC_URL, and more. Those secrets are highly sensitive (private keys / API keys). While such credentials are proportionate to a vault/trading skill, they are not declared in the registry metadata and the skill explicitly guides users to create and store private oracle keys — a dangerous operation if the back-end or publisher is untrusted.
Persistence & Privilege
always:false (normal) and the skill can be invoked autonomously. The skill instructs creating long-lived cloud processes and storing secrets on the TradingFlow platform; that is expected for a trading automation product but increases blast radius because the agent can set up processes that sign transactions (Mode 2). This combined with the other inconsistencies (undeclared env vars and guidance to store private keys) elevates the risk profile.
如何使用
- 确保已安装 OpenClaw(本地或 Docker 部署)
- 在对话框中输入安装命令:
/install tradingflow - 安装完成后,直接呼叫该 Skill 的名称或使用
/tradingflow触发 - 根据 Skill 的参数说明提供必要输入,即可获得结构化输出
版本历史
v0.0.2
## v0.0.2 (2026-03-22)
### Fixed
- **Instruction conflict resolved**: Removed contradictory `/auth/me` validation guidance- Agent uses API key (`x-api-key`
header), cannot call `/auth/me` (requires JWT token)
- Correct flow: attempt `POST /user-secrets`, handle `403 RD_MODE_REQUIRED` response
- Updated R&D Mode check instructions (line 487-503, 999)
- **Security scan improvements**: Addressed ClawHub "Instruction Scope" warning
### Documentation
- Clarified that `/auth/me` is frontend-only (JWT-based), not for Agent validation
- Updated security best practices to match actual API behavior
v0.0.1
Initial release of TradingFlow skill for automated crypto trading and DeFi management.
- Enables users to create, deploy, and manage crypto trading strategies and bots on BSC, Aptos, and Solana via natural language.
- Provides on-chain vault management (deposit, withdraw, balances, permissions).
- Integrates onboarding flow for new users, including API key setup and environment checks.
- Includes automatic workflow/visual strategy builder with every strategy.
- Supports community strategy discovery and automated trading process monitoring.
- Offers fine-grained guidance for agent-driven conversations and approvals.
元数据
常见问题
TradingFlow — AI-Powered Intent Trading Across Crypto, Stocks & More 是什么?
Create and manage crypto trading strategies, deploy automated trading bots, and control on-chain vaults on BSC, Aptos, and Solana. Use when the user wants to... 它是一个面向 Claude Code / OpenClaw 的 AI Agent Skill 插件,目前累计下载 109 次。
如何安装 TradingFlow — AI-Powered Intent Trading Across Crypto, Stocks & More?
在 OpenClaw 或 Claude Code 对话框中运行命令「/install tradingflow」即可一键安装,无需额外配置。
TradingFlow — AI-Powered Intent Trading Across Crypto, Stocks & More 是免费的吗?
是的,TradingFlow — AI-Powered Intent Trading Across Crypto, Stocks & More 完全免费,采用 MIT-0 许可证,可自由下载、安装和使用。
TradingFlow — AI-Powered Intent Trading Across Crypto, Stocks & More 支持哪些平台?
TradingFlow — AI-Powered Intent Trading Across Crypto, Stocks & More 跨平台运行,可在任意部署了 OpenClaw / Claude Code 的环境中使用(cross-platform)。
谁开发了 TradingFlow — AI-Powered Intent Trading Across Crypto, Stocks & More?
由 Caesar Lynch(@thecleopatra)开发并维护,当前版本 v0.0.2。
推荐 Skills