← 返回 Skills 市场
Upbit Trading Skill
作者
smeuse-dev
· GitHub ↗
· v1.0.0
2064
总下载
0
收藏
5
当前安装
1
版本数
在 OpenClaw 中安装
/install upbit-trading-skill
功能描述
Upbit 실시간 트레이딩 봇 - GLM AI 분석, 기술지표, 자동매매
安全使用建议
This skill is internally inconsistent and presents a shell-execution risk. Before installing or running it: 1) Do not run it on a machine with sensitive data or credentials until you audit the code and the ../zai/ask.sh script it calls; that script will be executed by the bot. 2) Treat positions.json/events.json as untrusted input — an attacker who can edit those files could inject shell metacharacters into prompts that are passed to ask.sh, enabling command injection. 3) The package metadata omitted required env vars (UPBIT_ACCESS_KEY / UPBIT_SECRET_KEY) — expect to provide API keys for Upbit; store them securely. 4) The README promises Telegram alerts and an analyze.js file that are missing — contact the author or require corrected source before using for live trading. 5) If you want to proceed, fix the code first: remove execSync use or pass arguments safely (avoid shell interpolation), sanitize any data read from local files before embedding in shell commands, explicitly declare required env vars in metadata, and ensure all external dependencies (ask.sh, GLM runtime) are known and trustworthy. If you cannot verify those points, do not run this skill with real API keys or on production systems.
功能分析
Type: OpenClaw Skill
Name: upbit-trading-skill
Version: 1.0.0
The `realtime-bot.js` file uses `child_process.execSync` to execute an external shell script `./ask.sh` located in a parent directory (`../zai`). The content of `ask.sh` is not provided, making its behavior unknown and introducing a significant supply chain risk and potential arbitrary command execution vector. While the stated purpose is to interact with an AI model (GLM), the mechanism of calling an unverified external script is highly suspicious.
能力评估
Purpose & Capability
The SKILL.md and code claim an Upbit trading bot. However the registry metadata lists no required environment variables while the README instructs the user to set UPBIT_ACCESS_KEY and UPBIT_SECRET_KEY (used by balance.js). The README also mentions Telegram alerts and an analyze.js file which are not present in the manifest/source. The presence of an external GLM invocation via a local ../zai/ask.sh (in realtime-bot.js) is not documented in the metadata or install instructions. These discrepancies mean the declared purpose does not fully align with what the code requires and executes.
Instruction Scope
SKILL.md tells the user to set .env with Upbit keys and run node realtime-bot.js. balance.js reads .env, but realtime-bot.js does not load .env (it uses only public ticker endpoints). The bot writes and reads local files (positions.json, events.json, trade_log.json) which could be manipulated by an attacker. realtime-bot.js executes an external script (cd ../zai && ./ask.sh ...) and passes constructed prompt text to the shell — this grants the skill the ability to run arbitrary local code and there is an injection surface where prompt content can contain shell metacharacters. The docs also promise features (Telegram alerts, analyze.js) that are not implemented in the provided code.
Install Mechanism
There is no install spec (instruction-only), which is lower risk generally, but realtime-bot.js relies on an external local script at ../zai/ask.sh and expects a local GLM runtime (glm-4.7). Running the skill will attempt to execute that external script if present; that effectively pulls arbitrary code execution into the bot's runtime even though nothing in metadata declares or packages that dependency.
Credentials
Registry metadata shows no required env vars, yet SKILL.md instructs users to set UPBIT_ACCESS_KEY and UPBIT_SECRET_KEY (and optionally a GLM API key). balance.js reads UPBIT_ACCESS_KEY and UPBIT_SECRET_KEY from .env and uses them to sign JWTs — consistent with Upbit APIs, but the missing declaration is an incoherence. The optional GLM API key is mentioned but the code does not read it (it uses a local ask.sh instead), so environment/credential guidance is inconsistent and under-specified.
Persistence & Privilege
The skill does not request always:true and does not modify other skills or system-wide settings. It persists and reads files in its directory (positions.json, events.json, events.json, trade_log.json) which is typical for a bot, but these files can be manipulated and are used to build prompts passed to an external shell script — increasing the blast radius if local files are untrusted.
如何使用
- 确保已安装 OpenClaw(本地或 Docker 部署)
- 在对话框中输入安装命令:
/install upbit-trading-skill - 安装完成后,直接呼叫该 Skill 的名称或使用
/upbit-trading-skill触发 - 根据 Skill 的参数说明提供必要输入,即可获得结构化输出
版本历史
v1.0.0
Initial release of upbit-trading-skill:
- AI-driven real-time cryptocurrency trading bot for Upbit.
- Integrates technical indicators: RSI, MACD, Bollinger Bands, MA/EMA.
- Uses GLM-4.7 for market analysis.
- 10-second market monitoring intervals.
- Supports configurable take-profit/stop-loss automation.
- Real-time notifications via Telegram.
- Simple setup with Node.js and Upbit API keys.
元数据
常见问题
Upbit Trading Skill 是什么?
Upbit 실시간 트레이딩 봇 - GLM AI 분석, 기술지표, 자동매매. 它是一个面向 Claude Code / OpenClaw 的 AI Agent Skill 插件,目前累计下载 2064 次。
如何安装 Upbit Trading Skill?
在 OpenClaw 或 Claude Code 对话框中运行命令「/install upbit-trading-skill」即可一键安装,无需额外配置。
Upbit Trading Skill 是免费的吗?
是的,Upbit Trading Skill 完全免费(开源免费),可自由下载、安装和使用。
Upbit Trading Skill 支持哪些平台?
Upbit Trading Skill 跨平台运行,可在任意部署了 OpenClaw / Claude Code 的环境中使用(cross-platform)。
谁开发了 Upbit Trading Skill?
由 smeuse-dev(@smeuse-dev)开发并维护,当前版本 v1.0.0。
推荐 Skills