QuantumExecute (QE) unified skill for AI-driven cryptocurrency algorithmic trading across Binance, OKX, LTP, Deribit, Hyperliquid, and other supported exchan...
Security Analysis
high confidenceThe skill's code, required credentials, and runtime instructions are consistent with its stated purpose (algorithmic crypto execution); nothing in the bundle indicates hidden or unrelated behavior, but the QE API credentials are high‑privilege and should be used with strong operational controls.
Name/description (multi-exchange trading, order lifecycle, TCA/export) matches the included scripts and references. Requested binaries (python3) and required env vars (QE_API_KEY, QE_API_SECRET) are expected for a Python-based trading client. The set of scripts map directly to claimed features (balances, orders, TCA, exports).
SKILL.md directs running the provided scripts and keeping secrets in env vars only; scripts source QE_API_KEY/SECRET via shared _client.get_client, and the skill's hard rules require explicit confirmation before write operations. Scripts write reports to ~/workspace by default and produce JSON outputs. Minor inconsistencies: SKILL.md mentions optional QE_WORKSPACE and QE_BASE_URL, but most scripts do not read QE_WORKSPACE (they default to Path.home()/"workspace"); QE_BASE_URL is read by _client if set. Overall instructions do not attempt to read unrelated system files or exfiltrate secrets.
No install spec provided (instruction-only install), but a requirements.txt is included listing 'qe-connector', 'requests', 'pandas', 'openpyxl'. Because there is no automatic install step, operator must install dependencies manually; this is lower risk than an arbitrary download, but operators should verify package sources (especially 'qe-connector') and pin versions before installing.
Only QE_API_KEY and QE_API_SECRET are required (declared primaryEnv QE_API_KEY). Those are exactly the high‑privilege credentials needed for the described trading capabilities. SKILL.md also documents QE_BASE_URL and QE_WORKSPACE as optional; QE_BASE_URL is supported by code, QE_WORKSPACE is documented but not consistently used by scripts (they default to ~/workspace). No unrelated credentials or system config paths are requested.
always:false (no forced inclusion). The skill does not request system-wide changes, does not modify other skills, and does not require persistent elevated privileges. Autonomous invocation is allowed (platform default); the skill's hard rules require explicit confirmations for write operations which mitigates autonomous write risk if enforced by the agent.
Guidance
This skill appears coherent for its stated purpose, but it controls high‑privilege trading actions. Before installing or running it: 1) Treat QE_API_KEY/QE_API_SECRET as powerful credentials — create and use restricted keys (minimal permissions) and enable IP whitelisting and audit logs on the QuantumExecute platform. 2) Review and install dependencies in an isolated environment (virtualenv/container) and verify the 'qe-connector' package source & version before installing. 3) Confirm the agent enforces the skill's P0 hard rules (explicit confirmation required for create/update/cancel operations). 4) Test read-only scripts first (list_exchange_apis, get_market_data, balance/positions) using non-production accounts or read-only keys. 5) Note small inconsistencies: SKILL.md references QE_WORKSPACE (not read by scripts) and QE_BASE_URL (supported), and there is no automatic install step — ensure you know where reports will be written (default ~/workspace) and supply QE_BASE_URL only to trusted endpoints. If you need higher assurance, request the upstream package repository (qe-connector) and compare its API usage to the code here, or run the skill in an isolated sandbox before granting production credentials.
Latest Release
v1.0.1
- License updated from MIT to MIT-0. - Added metadata for OpenClaw environment, including env/binary requirements and homepage link. - New section "Capability and Credential Declaration" describing credential usage and security recommendations. - Clarified requirements for QE_API_KEY and QE_API_SECRET, with additional notes on privilege and endpoint safety. - No functional or script changes; documentation and metadata only.
Popular Skills
Published by @l-kai890 on ClawHub
