tradr

Onchain trade execution engine. Feed a CA + score, get full trade lifecycle — sized entry, mode-based exits, on-chain verification, and trade logging. Requires Bankr skill.

What to check before installing and running tradr: - Trust boundary with Bankr: tradr delegates all on-chain execution to the Bankr skill via the configured bankr.sh. Review the bankr.sh script and Bankr skill config (API key location and behavior). This skill sets BANKR_ALLOW_TRADE / BANKR_ALLOW_SELL in the child process environment to bypass Bankr trade guards — ensure bankr.sh enforces authentication/authorization appropriately. - Install as a user service first: setup.sh writes a systemd unit and will try to put it in /etc/systemd/system (root). Prefer ./scripts/setup.sh --user to install under your user if you want lower privilege and to test behavior. - Protect notification secrets: notify-telegram.sh sources ~/.env.secrets or a local .env.secrets file for TELEGRAM_* tokens. If you use notifications, store those secrets with strict filesystem permissions and review the script. - Wallet private keys: tradr claims not to touch private keys; it relies on Bankr to perform trades. Do not put private keys into tradr config.json; ensure Bankr's secret handling is secure. - Review config.json and RPC endpoints: ensure rpc_urls, wallets, and token_gate settings are correct. Default token_gate values could lock you out if enabled unintentionally. - Test offline/sandbox: run scripts/test-tradr.py and exercise tradr-enter.py against a dry-run or a non-production configuration before enabling the systemd service. - Audit filesystem and permissions: tradr writes workspace files (positions, trade log). Confirm their locations and permission expectations to avoid exposing sensitive data. If you are comfortable with these points and trust the Bankr skill (or have audited bankr.sh), tradr appears coherent for its stated purpose. If you cannot audit Bankr or do not want an autonomous systemd service that can trigger trades, do not enable the service system-wide and avoid populating secrets/configs until you have reviewed the code.

Type: OpenClaw Skill Name: tradr Version: 1.0.0 The skill is classified as suspicious due to several high-risk behaviors, primarily the potential for privilege escalation and risky inter-skill communication. The `scripts/setup.sh` script installs `scripts/exit-manager.py` as a systemd service, which can be configured to run with root privileges (`sudo systemctl start`). This significantly increases the impact of any potential vulnerability within `exit-manager.py`. Furthermore, both `scripts/tradr-enter.py` and `scripts/exit-manager.py` execute the `bankr.sh` dependency with environment variables `BANKR_ALLOW_TRADE=1` and `BANKR_ALLOW_SELL=1`, which bypass internal guards in the `bankr` skill. While intended for mechanical pipeline operation, this design choice could be a vulnerability if `bankr.sh` expects more stringent checks from its callers. Finally, `scripts/notify-telegram.sh` (called by the main scripts) exfiltrates detailed trade information (buys, sells, P&L, errors) to Telegram, loading API tokens from `.env.secrets`. While this is a stated feature for notifications, it represents external data transmission of operational data.