vibetrading-ai-trading-code-generator

Generate executable Hyperliquid trading strategy code from natural language prompts. Use when a user wants to create automated trading strategies for Hyperliquid exchange based on their trading ideas, technical indicators, or VibeTrading signals. The skill generates complete Python code with proper error handling, logging, and configuration using actual Hyperliquid API wrappers.

This skill is functionally aligned with its purpose but has several red flags and outright coding issues — do not run it with live exchange credentials or on an unrestricted machine yet. Specifically: - Inspect api_wrappers/hyperliquid_api.py carefully to verify where network requests go and whether secrets are used or exfiltrated. Ensure endpoints are legitimate. - Review code_validator.py: it creates and runs a temporary script that imports target modules. That import may execute arbitrary code with side effects (network calls, filesystem, order placement). Avoid running the validator on untrusted/generated modules until audited, or run it inside an isolated sandbox/container without network access. - Fix the obvious mismatches and syntax issues (examples: malformed return values like {"filepath"(filepath)}, missing imports of Path in validator, and truncated/ malformed blocks). Several files contain syntax/logic errors and will likely crash or behave unpredictably. - Do not provide production Hyperliquid API keys or account addresses to this code until you (or a trusted developer) have audited and corrected the code and run it in a testnet/sandbox environment. Prefer testnet API keys, or mock the API layer when validating/generating code. - Ask the publisher (or request an updated package) to: (1) declare required env vars in the registry metadata, (2) fix SKILL.md to reference the actual script names, (3) remove or clearly document any validation steps that import/execute user code, and (4) fix the syntax/logic errors before using in production. If you want, I can: point out specific lines with likely bugs, list the exact files that appear to execute imports/subprocesses, or draft an isolated test plan (container + dummy keys) you can use to safely evaluate the skill.

Type: OpenClaw Skill Name: vibetrading-code-gen Version: 1.0.0 The skill is classified as suspicious due to its core functionality involving dynamic code generation and execution, which inherently carries high risks. Specifically, `backtest_engine/historical_backtest.py` and `scripts/backtest_runner.py` use `importlib.util.spec_from_file_location` and `spec.loader.exec_module` to load and run generated strategies, while `scripts/code_validator.py` uses `subprocess.run` to execute Python commands for validation. These capabilities, though necessary for a code generator and backtester, represent significant Remote Code Execution (RCE) vulnerabilities if input (e.g., user prompts, generated code content) is not perfectly sanitized. While there is no clear evidence of intentional malicious behavior like data exfiltration to unauthorized endpoints or backdoor installation, the presence of these high-risk, exploitable capabilities warrants a 'suspicious' classification.