← Back to Skills Marketplace
madeinusmate

Grvt Markets

by Stefano Cantù · GitHub ↗ · v1.0.0
cross-platform ⚠ suspicious
553
Downloads
0
Stars
0
Active Installs
1
Versions
Install in OpenClaw
/install grvt-markets-agent-skill
Description
Trade on GRVT (Gravity Markets) derivatives exchange via the grvt-cli tool. Use when the user wants to trade crypto derivatives, place or cancel orders, chec...
README (SKILL.md)

GRVT Exchange CLI

IMPORTANT: Community Project Disclaimer

grvt-cli is a community hobby project. It is NOT officially supported, endorsed, audited, or maintained by the GRVT team. No security audit or formal code review has been performed.

The code has not been audited for security vulnerabilities. By using this tool the user acknowledges and accepts the risk of total loss of funds.

The user is solely responsible for any financial losses, leaked credentials, or unintended trades that may result from using this software.

This tool stores API keys and private keys in plaintext on disk (with 0600 file permissions). Keys should never be shared or used on untrusted machines.

Before using this CLI on behalf of the user, you MUST inform them of this disclaimer and get their explicit acknowledgment.

grvt is a CLI tool and Node.js library for trading on GRVT (Gravity Markets), a crypto derivatives exchange supporting perpetuals, futures, and options.

Package: @madeinusmate/grvt-cli (npm). Binary: grvt. Requires Node.js >= 20.

Safety Recommendations

  • Only use testnet until the user fully understands the CLI behavior.
  • Review the source code before trusting it with real funds.
  • Keep private keys out of shell history (use grvt setup which reads from stdin).
  • Rotate API keys regularly.
  • Never use the CLI with more funds than the user can afford to lose.

Installation

pnpm add -g @madeinusmate/grvt-cli

Verify: grvt --version

First-Time Setup

The interactive wizard handles everything:

grvt setup

The setup wizard displays a disclaimer requiring explicit acceptance before proceeding. It is interactive and reads sensitive input from stdin (keeping keys out of shell history). It walks through: environment, API key, private key, and default sub-account ID, then authenticates automatically.

Note: Because grvt setup is interactive and requires user input, agents cannot run it directly. Use the manual setup flow below instead.

Manual setup (recommended for agents):

grvt config set env testnet
grvt auth login --api-key YOUR_API_KEY --private-key 0xYOUR_PRIVATE_KEY
grvt config set subAccountId YOUR_SUB_ACCOUNT_ID

Verify setup:

grvt auth status
grvt config list

Configuration

Config file: ~/.config/grvt/config.toml (permissions 0600).

Key Type Default Description
env dev|staging|testnet|prod prod GRVT environment
apiKey string - GRVT API key
privateKey string - Ethereum private key (0x-prefixed) for EIP-712 signing
subAccountId string - Default sub-account for trading commands
accountId string - Main account ID (set automatically on login)
cookie string - Session cookie (set automatically on login)
outputDefaults.output json|ndjson|table|raw table Default output format
outputDefaults.pretty boolean false Pretty-print JSON
outputDefaults.silent boolean false Suppress info logs
http.timeoutMs number 10000 Request timeout (ms)
http.retries number 3 Retry count
http.backoffMs number 200 Initial backoff (ms)
http.maxBackoffMs number 10000 Max backoff (ms)

Secret keys (apiKey, privateKey, cookie) are redacted in config list / config get output.

Use grvt config set \x3Ckey> \x3Cvalue> and grvt config unset \x3Ckey> to modify. Use dot-notation for nested keys (e.g. outputDefaults.output).

Authentication

Login requires an API key. A private key is optional but required for write operations (orders, transfers, withdrawals, derisk).

grvt auth login --api-key KEY --private-key 0xKEY

The session cookie is stored in config and sent automatically with authenticated requests.

Command Description
grvt auth login Authenticate (stores session cookie + account ID)
grvt auth status Verify session is valid (calls API)
grvt auth whoami Show current auth state (local only, no API call)
grvt auth logout Clear all stored credentials

EIP-712 signing is used for: order creation, transfers, withdrawals, and derisk operations. The private key never leaves the local machine.

Environments

Environment Market Data Trading Edge (Auth)
dev market-data.dev.gravitymarkets.io trades.dev.gravitymarkets.io edge.dev.gravitymarkets.io
staging market-data.staging.gravitymarkets.io trades.staging.gravitymarkets.io edge.staging.gravitymarkets.io
testnet market-data.testnet.grvt.io trades.testnet.grvt.io edge.testnet.grvt.io
prod market-data.grvt.io trades.grvt.io edge.grvt.io

Switch with: grvt config set env testnet

Global Options

Available on every command:

Option Description Default
--output \x3Cformat> json, ndjson, table, raw table (TTY) / json (piped)
--pretty Pretty-print JSON false
--silent Suppress info logs false
--no-color Disable colors -
--yes Skip confirmation prompts -
--retries \x3Cn> Retry count 3
--timeout-ms \x3Cn> Request timeout (ms) 10000

Write commands (order create, order cancel, transfer create, withdraw create, derisk) also support:

Option Description
--dry-run Validate and show the signed payload without sending
--json \x3Cpath> Read full request body from file (@file.json) or stdin (-)

Command Overview

grvt
  setup                         Interactive setup wizard
  config                        Manage local configuration
    path / get / set / unset / list / export / import
  auth                          Authentication and session
    login / status / whoami / logout
  market                        Market data (mostly unauthenticated)
    instruments / instrument / currency / orderbook / trades
    candles / funding-rate / ticker / mini-ticker / margin-rules
  account                       Account info (requires auth)
    funding / summary / aggregated / history
  trade                         Trading (requires auth; writes need private key)
    order create / order get / order open / order cancel / order cancel-all / order history
    fills / positions / funding-payments
    leverage get / leverage set
    cancel-on-disconnect / derisk
  funds                         Fund management (requires auth; writes need private key)
    deposit history
    transfer create / transfer history
    withdraw create / withdraw history

For full flag details on each command, read the corresponding reference file:

  • references/commands-config.md — config and auth commands
  • references/commands-market.md — market data commands
  • references/commands-trade.md — trading commands
  • references/commands-account.md — account commands
  • references/commands-funds.md — fund management commands
  • references/errors.md — error codes and troubleshooting

Instrument Naming

GRVT uses structured instrument symbols:

Type Pattern Example
Perpetual {BASE}_{QUOTE}_Perp BTC_USDT_Perp
Future {BASE}_{QUOTE}_Fut_{DATE} BTC_USDT_Fut_20Oct23
Call {BASE}_{QUOTE}_Call_{DATE}_{STRIKE} ETH_USDT_Call_20Oct23_2800
Put {BASE}_{QUOTE}_Put_{DATE}_{STRIKE} ETH_USDT_Put_20Oct23_2800

Always discover available instruments before trading:

grvt market instruments
grvt market instruments --kind PERPETUAL --base BTC
grvt market instrument --instrument BTC_USDT_Perp

Output Format Guide

Format When to use
table Interactive display in terminal (default in TTY)
json Parsing output programmatically, piping to jq
ndjson Streaming large datasets with --all pagination
raw Debugging raw API responses

The CLI auto-detects: table when stdout is a TTY, json when piped. Override with --output \x3Cformat>.

When using --all with ndjson, records stream to stdout as they arrive (one JSON object per line), enabling efficient processing of large result sets without buffering everything in memory.

Key Workflows

Market Analysis

grvt market instruments --kind PERPETUAL
grvt market orderbook --instrument BTC_USDT_Perp --depth 50
grvt market ticker --instrument BTC_USDT_Perp --greeks --derived
grvt market candles --instrument BTC_USDT_Perp --interval CI_1_H --limit 24
grvt market funding-rate --instrument BTC_USDT_Perp --limit 10
grvt market margin-rules --instrument BTC_USDT_Perp

Place and Manage Orders

# Limit buy
grvt trade order create --instrument BTC_USDT_Perp --side buy --type limit --qty 0.01 --price 68000

# Market sell
grvt trade order create --instrument BTC_USDT_Perp --side sell --type market --qty 0.01

# With options
grvt trade order create --instrument BTC_USDT_Perp --side buy --type limit \
  --qty 0.01 --price 68000 --post-only --time-in-force IOC --expiration-seconds 60

# Monitor
grvt trade order open
grvt trade order get --order-id 0x123...

# Cancel
grvt trade order cancel --order-id 0x123...
grvt trade order cancel-all
grvt trade order cancel-all --instrument BTC_USDT_Perp

Portfolio Check

grvt trade positions
grvt account summary
grvt account aggregated
grvt account funding
grvt account history --start-time 2025-01-01T00:00:00Z --limit 24

Fund Management

# Transfer between sub-accounts
grvt funds transfer create \
  --from-sub-account-id FROM_ID --to-sub-account-id TO_ID \
  --currency USDT --amount 100

# Withdraw to Ethereum address
grvt funds withdraw create \
  --to-address 0xYOUR_ETH_ADDRESS --currency USDT --amount 50

# View history
grvt funds deposit history --all
grvt funds transfer history --start-time 2025-01-01T00:00:00Z
grvt funds withdraw history --limit 10

Leverage and Risk

grvt trade leverage get
grvt trade leverage set --instrument BTC_USDT_Perp --leverage 10
grvt trade cancel-on-disconnect --countdown 5000
grvt trade derisk --ratio 0.5

Shell Patterns

Pipe JSON output to jq:

grvt market instruments --output json | jq '.[].instrument'
grvt trade order open --output json | jq '.[] | {instrument, side: .legs[0].is_buying_asset, size: .legs[0].size}'

Stream paginated results:

grvt trade fills --all --output ndjson | jq '.instrument'
grvt trade order history --all --output ndjson > all_orders.jsonl

Read order payload from a file:

grvt trade order create --json @order.json
echo '{"order": {...}}' | grvt trade order create --json -

Skip confirmations for scripting:

grvt trade order cancel-all --yes --silent
grvt funds transfer create ... --yes --silent

Dry-run to preview:

grvt trade order create --instrument BTC_USDT_Perp --side buy --type limit --qty 0.01 --price 68000 --dry-run

Timestamp Formats

All --start-time and --end-time flags accept:

Format Example
Unix seconds 1704067200
Unix milliseconds 1704067200000
Unix nanoseconds 1704067200000000000
ISO 8601 2025-01-01T00:00:00Z

Error Handling

Exit Code Meaning
0 Success
2 Usage / validation error (bad flags, missing required options)
3 Authentication / permission error (expired session, invalid key)
4 Partial failure (batch operations like cancel-all)
5 API / network error (server errors, timeouts, rate limits)

Common recovery patterns:

  • Exit 3: Run grvt auth login to refresh session
  • Exit 5 with 429: Reduce request frequency; CLI retries automatically with exponential backoff
  • Exit 2: Check grvt \x3Ccommand> --help for required options

For detailed error scenarios and troubleshooting, read references/errors.md.

Library Usage

@madeinusmate/grvt-cli can also be imported as a Node.js library:

import { createHttpClient, login, createOrder, getOpenOrders, getPositions } from "@madeinusmate/grvt-cli";

See src/index.ts in the package source for all exported functions.

Candle Intervals

Valid values for --interval on grvt market candles:

CI_1_M, CI_5_M, CI_15_M, CI_30_M, CI_1_H, CI_2_H, CI_4_H, CI_6_H, CI_8_H, CI_12_H, CI_1_D, CI_1_W

Instrument Kind Filters

Valid values for --kind filters (comma-separated):

PERPETUAL, FUTURE, CALL, PUT

Usage Guidance
This skill appears to be what it says (a CLI wrapper for GRVT trading) but has several red flags you should consider before installing or using it: - The SKILL.md requires Node.js >=20 and installation via pnpm of @madeinusmate/grvt-cli, but the skill metadata omits required binaries and credentials — treat that as a transparency issue. - The package is a community project (not audited). Installing an unvetted npm package can run arbitrary code; prefer reviewing the package source before installing and run it in an isolated environment (container or throwaway VM). - The CLI requires an API key and for write actions an Ethereum private key; it warns that it stores secrets in plaintext at ~/.config/grvt/config.toml (0600). Avoid handing your private key to an agent; prefer using a limited-scope API key or testnet credentials for experimentation. - The SKILL.md acknowledges the risk and asks for explicit user acknowledgment before use — enforce that. If you must use it, use testnet, rotate keys afterwards, and consider using read‑only credentials or a hardware wallet/signing service rather than placing private keys on disk. If you want to proceed safely, request the skill owner/source code and perform a code review (or have one performed), or run the CLI in an isolated environment and never supply mainnet private keys to an agent or unknown package.
Capability Analysis
Type: OpenClaw Skill Name: grvt-markets-agent-skill Version: 1.0.0 This skill bundle is classified as suspicious due to its documentation of a high-risk crypto trading CLI tool (`grvt-cli`) that handles sensitive financial operations and credentials. The `SKILL.md` explicitly warns that the tool is a 'community hobby project' with 'no security audit' and 'stores API keys and private keys in plaintext on disk'. Furthermore, the recommended setup for agents involves passing API and private keys directly on the command line, exposing them in shell history and process listings. The tool also features a `--yes` flag to bypass confirmation prompts for sensitive actions like fund transfers and withdrawals, which, if misused by an agent (e.g., via prompt injection), could lead to unauthorized financial transactions. While the skill transparently discloses these risks and instructs the agent to obtain user acknowledgment, these significant vulnerabilities and risky capabilities warrant a 'suspicious' classification rather than 'benign', as they could be exploited, but there is no clear evidence of intentional malicious behavior (e.g., exfiltration to attacker-controlled domains, stealth, or backdoors) within the skill bundle itself.
Capability Assessment
Purpose & Capability
The skill (Grvt Markets) and SKILL.md consistently describe a CLI-based trading integration (grvt-cli) and the commands in the reference files match that purpose. However, the registry metadata lists no required binaries or credentials while the README explicitly requires Node.js >= 20 and installation via pnpm and also requires API and private keys for authenticated actions — this metadata omission is an inconsistency (likely sloppy packaging) that reduces transparency.
Instruction Scope
The SKILL.md directs the agent/user to install and run a third‑party CLI that performs authenticated trading operations and EIP‑712 signing. It explicitly instructs manual or interactive setup for entering API keys and private keys and notes that keys are written to ~/.config/grvt/config.toml in plaintext (0600). While the instructions do not attempt to exfiltrate data, they do put the agent/user in a position to provide highly sensitive secrets; the skill text warns about this but does not restrict or provide safer alternatives (e.g., using limited-scope API keys).
Install Mechanism
The skill is instruction‑only and has no platform install spec, but SKILL.md instructs installing @madeinusmate/grvt-cli via pnpm (npm registry). Installing an unvetted community npm package is a moderate risk: npm packages can execute arbitrary code. The SKILL.md includes a clear community‑project disclaimer, but the manifest does not declare installation requirements, which reduces transparency.
Credentials
The manifest declares no required environment variables or primary credential, but the CLI requires an API key and (for write operations) an Ethereum private key and stores session cookies and keys in the config file. The absence of declared credentials in the skill metadata is disproportionate and inconsistent with the documented need for secrets. Additionally, storing private keys in plaintext (even with 0600) is sensitive and increases risk if the host is compromised.
Persistence & Privilege
The skill is not marked always:true and does not request persistent installation by the registry; it is an instruction‑only skill. It does not declare any elevated platform privileges. Autonomous invocation is allowed (default) but is not combined with other high‑privilege settings.
How to Use
  1. Make sure OpenClaw is installed (local or Docker)
  2. Run the install command in chat: /install grvt-markets-agent-skill
  3. After installation, invoke the skill by name or use /grvt-markets-agent-skill
  4. Provide required inputs per the skill's parameter spec and get structured output
Version History
v1.0.0
Initial release of grvt-markets-agent-skill. - Adds support for trading on GRVT (Gravity Markets) derivatives exchange via the grvt-cli tool. - Enables placing and canceling orders, checking positions, viewing market data (orderbook, candles, tickers, funding rates), and managing account balances. - Allows transfers between sub-accounts, withdrawals to Ethereum, leverage adjustments, and querying trade or order history. - Includes important security and usage disclaimers requiring explicit user acknowledgment before use.
Metadata
Slug grvt-markets-agent-skill
Version 1.0.0
License
All-time Installs 0
Active Installs 0
Total Versions 1
Frequently Asked Questions

What is Grvt Markets?

Trade on GRVT (Gravity Markets) derivatives exchange via the grvt-cli tool. Use when the user wants to trade crypto derivatives, place or cancel orders, chec... It is an AI Agent Skill for Claude Code / OpenClaw, with 553 downloads so far.

How do I install Grvt Markets?

Run "/install grvt-markets-agent-skill" in the OpenClaw or Claude Code chat to install it in one step — no extra setup required.

Is Grvt Markets free?

Yes, Grvt Markets is completely free (open-source). You can download, install and use it at no cost.

Which platforms does Grvt Markets support?

Grvt Markets is cross-platform and runs anywhere OpenClaw / Claude Code is available (cross-platform).

Who created Grvt Markets?

It is built and maintained by Stefano Cantù (@madeinusmate); the current version is v1.0.0.

More Skills
self-improving agent
Captures learnings, errors, and corrections to enable continuous improvement. Use when: (1) A command or operation fails unexpectedly, (2) User corrects Clau...
⬇ 463556 · by pskoett
Skill Vetter
Security-first skill vetting for AI agents. Use before installing any skill from ClawdHub, GitHub, or other sources. Checks for red flags, permission scope, and suspicious patterns.
⬇ 259610 · by spclaudehome
Polymarket
Query Polymarket prediction markets. Check odds, find trending markets, search events, track price movements.
⬇ 232503 · by joelchance
Self-Improving + Proactive Agent
Self-reflection + Self-criticism + Self-learning + Self-organizing memory. Agent evaluates its own work, catches mistakes, and improves permanently. Use when...
⬇ 200551 · by ivangdavila
Github
Interact with GitHub using the `gh` CLI. Use `gh issue`, `gh pr`, `gh run`, and `gh api` for issues, PRs, CI runs, and advanced queries.
⬇ 191226 · by steipete
ontology
Typed knowledge graph for structured agent memory and composable skills. Use when creating/querying entities (Person, Project, Task, Event, Document), linkin...
⬇ 190235 · by oswalpalash

💬 Comments