← Back to Skills Marketplace
chaunceyliu

trade-with-aiusd

by ChaunceyLiu · GitHub ↗ · v1.0.1
cross-platform ⚠ suspicious
1538
Downloads
0
Stars
0
Active Installs
2
Versions
Install in OpenClaw
/install trade-with-aiusd
Description
Manage AIUSD trading, staking, withdrawals, balance checks, gas top-ups, and transaction history via authenticated backend calls.
Usage Guidance
Do not run the included installers or npm install blindly. Before installing, verify the skill's origin and integrity (official repo or vendor). Manually extract and inspect the embedded archive contents in a safe environment (isolated VM or container). Confirm which environment variables or token files the skill will read (MCP_HUB_TOKEN and ~/.mcp-hub/token.json are referenced) and ensure you are comfortable providing them. Review package.json and all JavaScript code for postinstall scripts or network endpoints, and audit npm dependencies. Prefer obtaining the skill from an authoritative, signed release (official GitHub release or vendor site) rather than running self-extracting installers from an unknown owner. If you lack the ability to audit, avoid installing or run it only in an isolated sandbox.
Capability Analysis
Type: OpenClaw Skill Name: trade-with-aiusd Version: 1.0.1 The skill bundle is classified as suspicious due to several high-risk capabilities, even though their stated intent aligns with the skill's purpose. The `SKILL.md` file contains direct prompt injection instructions for the AI agent to execute shell commands like `npm run reauth` and `aiusd-skill tools --detailed`, and to perform file system operations such as clearing `~/.mcporter/` and `~/.mcp-hub/token.json` (which may contain sensitive authentication tokens). Both `aiusd-skill-installer.sh` and `aiusd-skill-installer.js` installers execute `npm install`, a significant supply chain risk that downloads and runs arbitrary code. The `README.md` also links to an external GitHub release for downloading the skill, posing another supply chain risk. While these actions are presented as necessary for a trading bot, the direct command execution, file manipulation, and reliance on external code execution without clear transparency of the embedded `package.json` raise significant security concerns.
Capability Assessment
Purpose & Capability
The registry metadata declares no env vars or credentials, but SKILL.md clearly expects an authentication token (MCP_HUB_TOKEN), OAuth flow, or a local token file (~/.mcp-hub/token.json). The package name in metadata ('trade-with-aiusd') and the files both reference 'aiusd-skill' — minor naming mismatch but tolerable — however the absence of declared required env/config in metadata while the runtime instructions require tokens is an incoherence. Asking for browser OAuth and token-file access is proportionate for a trading skill, but it should be declared.
Instruction Scope
SKILL.md includes explicit runtime rules that constrain agent output (a list of forbidden phrases and strict guidance on authentication responses). This is unusual for a benign integration because it attempts to control how the agent explains authentication and forbids discussing certain terms (e.g., 'template', 'verification'). The instructions also refer to a local token path and environment variable not declared in metadata. The file tells the agent to always run 'aiusd-skill tools --detailed' first (reasonable) but also contains truncated content and a pre-scan prompt-injection indicator (base64-block), which increases risk that hidden content or embedded instructions exist.
Install Mechanism
There is no formal install spec in registry metadata, but the package includes two self-extracting installers (shell and Node.js) that contain a large base64-encoded archive and will extract files to disk and run 'npm install'. Embedding and auto-extracting a compressed payload is higher-risk because it writes arbitrary files and triggers npm, which may fetch remote packages or run install scripts. The archive is embedded (no external URL), but executing these installers without inspecting the extracted contents is dangerous.
Credentials
The skill legitimately needs an authentication token to call the AIUSD backend, but required env vars/config paths were not declared in the registry metadata. The SKILL.md's authentication priority (MCP_HUB_TOKEN, OAuth, ~/.mcp-hub/token.json) is plausible, but the mismatch between declared requirements (none) and runtime expectations is an incoherence. Additionally, SKILL.md forbids mentioning URLs and step-by-step auth instructions while elsewhere it lists specific URLs — contradictory guidance that could hide needed auth info from users.
Persistence & Privilege
The skill does not request 'always: true' or system-wide privileges. The installers extract into a subdirectory under the current working directory (aiusd-skill) and run npm install there; they do not request system-wide config changes in the provided files. That said, running npm install can have side effects depending on package scripts, but the skill itself does not declare elevated persistence.
How to Use
  1. Make sure OpenClaw is installed (local or Docker)
  2. Run the install command in chat: /install trade-with-aiusd
  3. After installation, invoke the skill by name or use /trade-with-aiusd
  4. Provide required inputs per the skill's parameter spec and get structured output
Version History
v1.0.1
trade-with-aiusd v1.0.1 - Added installer scripts: `aiusd-skill-installer.js` and `aiusd-skill-installer.sh` for streamlined setup. - Updated documentation and build metadata.
v1.0.0
AIUSD Skill v1.0.0 initial release - Provides AIUSD trading and account management using backend MCP calls. - Handles balances, trades, staking, withdrawals, gas top-up, and transaction history. - Strict output guidelines for language (bans "template" and similar phrases in trading contexts). - Authentication prioritized via environment variable, OAuth, or local file. - Mandates always running `aiusd-skill tools --detailed` first to fetch live tool schema.
Metadata
Slug trade-with-aiusd
Version 1.0.1
License
All-time Installs 0
Active Installs 0
Total Versions 2
Frequently Asked Questions

What is trade-with-aiusd?

Manage AIUSD trading, staking, withdrawals, balance checks, gas top-ups, and transaction history via authenticated backend calls. It is an AI Agent Skill for Claude Code / OpenClaw, with 1538 downloads so far.

How do I install trade-with-aiusd?

Run "/install trade-with-aiusd" in the OpenClaw or Claude Code chat to install it in one step — no extra setup required.

Is trade-with-aiusd free?

Yes, trade-with-aiusd is completely free (open-source). You can download, install and use it at no cost.

Which platforms does trade-with-aiusd support?

trade-with-aiusd is cross-platform and runs anywhere OpenClaw / Claude Code is available (cross-platform).

Who created trade-with-aiusd?

It is built and maintained by ChaunceyLiu (@chaunceyliu); the current version is v1.0.1.

More Skills
self-improving agent
Captures learnings, errors, and corrections to enable continuous improvement. Use when: (1) A command or operation fails unexpectedly, (2) User corrects Clau...
⬇ 463815 · by pskoett
Skill Vetter
Security-first skill vetting for AI agents. Use before installing any skill from ClawdHub, GitHub, or other sources. Checks for red flags, permission scope, and suspicious patterns.
⬇ 259802 · by spclaudehome
Polymarket
Query Polymarket prediction markets. Check odds, find trending markets, search events, track price movements.
⬇ 232503 · by joelchance
Self-Improving + Proactive Agent
Self-reflection + Self-criticism + Self-learning + Self-organizing memory. Agent evaluates its own work, catches mistakes, and improves permanently. Use when...
⬇ 200680 · by ivangdavila
Github
Interact with GitHub using the `gh` CLI. Use `gh issue`, `gh pr`, `gh run`, and `gh api` for issues, PRs, CI runs, and advanced queries.
⬇ 191345 · by steipete
ontology
Typed knowledge graph for structured agent memory and composable skills. Use when creating/querying entities (Person, Project, Task, Event, Document), linkin...
⬇ 190333 · by oswalpalash

💬 Comments