Skill Trust Decision

Bitget Trader

Name: Bitget Trader Trust Review Report
Item: Bitget Trader
Rating: 35
Author: ClawSafe

Bitget网格交易机器人代码本身非恶意，但SKILL.md文档末尾嵌入了真实的API密钥(明文secretKey+passphrase)，凭证已暴露需立即吊销

Install decision first Source: Manual upload Scanned: Apr 5, 2026

Files 137

Artifacts 10

Violations 0

Findings 4

Most direct threat evidence

Critical Credential Theft

SKILL.md嵌入了真实API凭证

SKILL.md文件末尾(约第270行)直接嵌入了Bitget交易所的真实API密钥，包括apiKey、secretKey和passphrase，攻击者可提取后完全控制交易所账户进行交易和提币

SKILL.md:270

Why this conclusion was reached

1/4 dimensions flagged

Pass

Declared vs actual capability

Declared resources and inferred behavior are broadly aligned.

Review

Hidden execution and egress

10 lower-risk artifacts were extracted and still need context.

Block

Attack chain and severe findings

The report includes 0 attack-chain steps and 2 severe findings.

Pass

Dependencies and supply chain hygiene

Dependencies are present but no obvious high-risk issue stands out.

What drove the risk score up

凭证暴露 +40

SKILL.md末尾嵌入明文apiKey/secretKey/passphrase，可被任何人提取用于接管交易所账户

敏感配置未加密 +15

config.json中存储明文密钥，无加密或环境变量隔离

硬编码路径 +5

使用绝对路径/Users/zongzi/...暴露用户信息

合法交易功能 +-5

代码仅访问Bitget官方API，无数据外泄或恶意行为

Most important evidence

Critical Credential Theft

SKILL.md嵌入了真实API凭证

SKILL.md文件末尾(约第270行)直接嵌入了Bitget交易所的真实API密钥，包括apiKey、secretKey和passphrase，攻击者可提取后完全控制交易所账户进行交易和提币

SKILL.md:270

立即吊销该API密钥，使用环境变量或加密配置文件存储敏感信息

High Credential Theft

config.json存储明文密钥

config.json文件包含明文API密钥和密码，未经加密存储

config.json:1

使用加密配置文件或密钥管理服务，将config.json加入.gitignore

Medium Doc Mismatch

凭证作为文档示例但实为真实密钥

SKILL.md将凭证嵌入在'保存到config.json'示例块中，但这些凭证是真实可用的，而非占位符

SKILL.md:268

文档应使用明确的占位符示例如'YOUR_API_KEY'，而非真实密钥

Low Sensitive Access

硬编码绝对路径泄露用户信息

多个脚本硬编码了用户目录路径/Users/zongzi/...，暴露了系统用户名

SKILL.md:14

使用相对路径或环境变量如$HOME/.openclaw/workspace/

Declared capability vs actual capability

Network Pass

Declared READ

→

Inferred READ

所有脚本通过HTTPS访问api.bitget.com

Filesystem Pass

Declared NONE

→

Inferred READ

多个脚本读取config.json/grid_settings.json

Shell Pass

Declared NONE

→

Inferred READ

bitget-cli.js使用execSync执行node命令

Suspicious artifacts and egress

Medium External URL

https://api.bitget.com/api/v2/spot/market/tickers?symbol=SOLUSDT

GRID_STATUS_2026-03-17_2208.md:117

Medium External URL

https://www.bitget.com

MANUAL_SETUP.md:26

Medium External URL

https://api.bitget.com

MULTI_AGENT_SETUP_GUIDE.md:331

Medium External URL

https://www.google.com

MULTI_AGENT_TEST_REPORT_2026-03-17.md:189

Medium External URL

https://www.investopedia.com/

QUANT_SYSTEM.md:233

Medium External URL

https://www.quantconnect.com/

QUANT_SYSTEM.md:234

Medium External URL

http://127.0.0.1:7897

README.md:242

Medium External URL

https://api.bitget.com$

dynamic-adjust-v2.js:14

Medium External URL

https://api.binance.com/api/v3/klines?symbol=$

dynamic-adjust.js:16

Medium External URL

https://api.binance.com/api/v3/ticker/price?symbol=$

dynamic-adjust.js:45

Dependencies and supply chain

Package	Version	Source	Known vuln	Notes
node (运行时)	`无需额外依赖`	系统	No	纯Node.js标准库实现

File composition

137 files · 22340 lines

JavaScript 74 files · 13942 linesMarkdown 39 files · 7314 linesJSON 21 files · 1007 linesShell 3 files · 77 lines

Files of concern · 3

config.json JSON · 6 lines

config.json存储明文密钥

dynamic-adjust-v2.js JavaScript · 326 lines

https://api.bitget.com$

dynamic-adjust.js JavaScript · 310 lines

https://api.binance.com/api/v3/klines?symbol=$ · https://api.binance.com/api/v3/ticker/price?symbol=$

Other files · smart-grid.js · multi_agent_controller.js · quant-trader.js · apply-scheme-a-final.js · deploy-highfreq-grids.js · trade-analyzer.js +3

137 files · 662.8 KB · 22340 lines

JavaScript 74f · 13942LMarkdown 39f · 7314LJSON 21f · 1007LShell 3f · 77L

├─ ▾ 📁 snapshots

│ └─ 📋 2026-03-07.json JSON 10L · 190 B

├─ 📝 COIN_ANALYSIS_REPORT.md Markdown 241L · 5.9 KB

├─ 📝 DECISION_SUMMARY_2026-03-17_2236.md Markdown 137L · 3.1 KB

├─ 📝 DEPLOYMENT_REPORT_2026-03-17_2138.md Markdown 197L · 4.2 KB

├─ 📝 DYNAMIC_STRATEGY_REPORT.md Markdown 280L · 6.2 KB

├─ 📝 ETH_GRID_REPORT.md Markdown 128L · 3.2 KB

├─ 📝 FINAL_DEPLOYMENT_2026-03-17_2220.md Markdown 339L · 7.0 KB

├─ 📝 GRID_DEPLOYMENT_SUCCESS_2026-03-17.md Markdown 137L · 3.5 KB

├─ 📝 GRID_OPTIMIZATION_REPORT.md Markdown 278L · 6.1 KB

├─ 📝 GRID_OPTIMIZATION_REPORT_2026-03-17.md Markdown 142L · 3.9 KB

├─ 📝 GRID_RESTARTED_2026-03-17.md Markdown 118L · 2.6 KB

├─ 📝 GRID_RESTORED_2026-03-17.md Markdown 99L · 2.1 KB

├─ 📝 GRID_STATUS_2026-03-17_2208.md Markdown 219L · 4.1 KB

├─ 📝 GRID_STATUS_REPORT.md Markdown 172L · 4.1 KB

├─ 📝 GRID_STOPPED_2026-03-17.md Markdown 84L · 1.9 KB

├─ 📝 HIGHFREQ_SETUP_COMPLETE.md Markdown 189L · 4.3 KB

├─ 📝 MANUAL_SETUP.md Markdown 159L · 3.0 KB

├─ 📝 MULTI_AGENT_SETUP_GUIDE.md Markdown 369L · 7.5 KB

├─ 📝 MULTI_AGENT_TEST_REPORT_2026-03-17.md Markdown 318L · 7.0 KB

├─ 📝 NEW_COINS_ANALYSIS.md Markdown 137L · 3.0 KB

├─ 📝 OPTIMIZATION_REPORT.md Markdown 235L · 4.9 KB

├─ 📝 QUANT_STRATEGY.md Markdown 252L · 5.4 KB

├─ 📝 QUANT_SYSTEM.md Markdown 243L · 5.0 KB

├─ 📝 README.md Markdown 301L · 6.3 KB

├─ 📝 REDEPLOY_COMPLETE.md Markdown 157L · 4.0 KB

├─ 📝 REDEPLOY_REPORT_2026-03-17_2158.md Markdown 223L · 4.9 KB

├─ 📝 RUNNING_STATUS.md Markdown 92L · 1.9 KB

├─ 📝 SCHEME_A_MANUAL.md Markdown 180L · 3.9 KB

├─ 📝 SKILL.md Markdown 277L · 6.9 KB

├─ 📝 STARTUP_REPORT.md Markdown 60L · 1.2 KB

├─ 📝 STATUS_REPORT.md Markdown 159L · 3.5 KB

├─ 📝 STATUS_SUMMARY_2026-03-17_2230.md Markdown 243L · 4.7 KB

├─ 📝 STRATEGY_SUMMARY.md Markdown 148L · 3.2 KB

├─ 📝 TRADING_DECISION_2026-03-17_2235.md Markdown 228L · 5.7 KB

├─ 📝 UNLIMITED_MODE.md Markdown 73L · 2.0 KB

├─ 📜 analyze-coins.js JavaScript 145L · 5.7 KB

├─ 📜 analyze-orders.js JavaScript 200L · 7.8 KB

├─ 📜 analyze-strategy.js JavaScript 214L · 7.2 KB

├─ 📜 apply-dynamic-grid.js JavaScript 101L · 3.8 KB

├─ 📜 apply-highfreq.js JavaScript 55L · 2.2 KB

├─ 📜 apply-scheme-a-final.js JavaScript 309L · 11.0 KB

├─ 📜 apply-scheme-a-v2.js JavaScript 281L · 10.2 KB

├─ 📜 apply-scheme-a.js JavaScript 262L · 9.5 KB

├─ 📜 auto-monitor.js JavaScript 290L · 10.2 KB

├─ 📜 bitget-cli.js JavaScript 168L · 4.8 KB

├─ 📜 buy-bnb-limit.js JavaScript 93L · 3.2 KB

├─ 📜 buy-bnb-market.js JavaScript 98L · 3.4 KB

├─ 📜 buy-eth-market.js JavaScript 82L · 2.8 KB

├─ 📜 cancel-all-btc.js JavaScript 135L · 4.8 KB

├─ 📜 cancel-all-orders.js JavaScript 137L · 4.3 KB

├─ 📜 cancel-all.js JavaScript 130L · 4.7 KB

├─ 📜 check-balance.js JavaScript 117L · 3.6 KB

├─ 📜 check-prices.js JavaScript 122L · 5.0 KB

├─ 🔑 config.json ⚠ JSON 6L · 190 B

├─ 📋 conservative_deployment_report.json JSON 47L · 1.1 KB

├─ 📜 create-highfreq-config.js JavaScript 93L · 3.8 KB

├─ 📋 cron_config.json JSON 33L · 1.4 KB

├─ 📝 daily_report.md Markdown 31L · 490 B

├─ 📜 debug-orders.js JavaScript 117L · 4.3 KB

├─ 📜 deploy-bnb-grid.js JavaScript 127L · 4.4 KB

├─ 📜 deploy-bnb-new.js JavaScript 101L · 3.7 KB

├─ 📜 deploy-conservative.js JavaScript 293L · 9.3 KB

├─ 📜 deploy-dynamic-grid.js JavaScript 145L · 4.8 KB

├─ 📜 deploy-eth-buys.js JavaScript 92L · 3.1 KB

├─ 📜 deploy-eth-grid.js JavaScript 134L · 4.9 KB

├─ 📜 deploy-highfreq-grids.js JavaScript 325L · 10.6 KB

├─ 📜 deploy-sell-orders.js JavaScript 162L · 5.2 KB

├─ 📜 deploy-simple-grid.js JavaScript 206L · 6.7 KB

├─ 📜 deploy-ultra-grids-v2.js JavaScript 318L · 10.3 KB

├─ 📜 deploy-ultra-grids.js JavaScript 256L · 7.8 KB

├─ 📜 dynamic-adjust-v2.js JavaScript 326L · 12.1 KB

├─ 📜 dynamic-adjust.js JavaScript 310L · 11.3 KB

├─ 📜 dynamic-rebalance.js JavaScript 295L · 9.3 KB

├─ 📋 dynamic_adjustments.json JSON 8L · 143 B

├─ 📜 grid-optimizer.js JavaScript 267L · 10.3 KB

├─ 📋 grid_settings.json JSON 55L · 1.3 KB

├─ 📋 grid_settings_adjusted.json JSON 58L · 1.7 KB

├─ 📋 grid_settings_conservative.json JSON 58L · 1.5 KB

├─ 📋 grid_settings_highfreq.json JSON 62L · 1.8 KB

├─ 📋 grid_settings_minimal.json JSON 58L · 1.4 KB

├─ 📋 grid_settings_optimized.json JSON 30L · 790 B

├─ 📋 grid_settings_standard.json JSON 58L · 1.4 KB

├─ 📋 grid_settings_ultra.json JSON 58L · 1.5 KB

├─ 📋 highfreq_deployment_report.json JSON 39L · 1.1 KB

├─ 📜 kline-analyzer.js JavaScript 235L · 9.3 KB

├─ 🔧 monitor-cron.sh Shell 18L · 529 B

├─ 📜 monitor-fixed.js JavaScript 191L · 5.8 KB

├─ 📜 monitor-grid.js JavaScript 195L · 6.0 KB

├─ 🔧 monitor-wrapper.sh Shell 26L · 632 B

├─ 📋 monitor_state.json JSON 116L · 2.9 KB

├─ 📋 multi_agent_config.json JSON 126L · 3.2 KB

├─ 📜 multi_agent_controller.js JavaScript 452L · 14.8 KB

├─ 📝 multi_coin_analysis.md Markdown 118L · 2.9 KB

├─ 📜 optimize-grids.js JavaScript 247L · 7.9 KB

├─ 📜 optimize-strategy.js JavaScript 178L · 6.7 KB

├─ 📜 quant-trader.js JavaScript 321L · 11.2 KB

├─ 📜 quick-report.js JavaScript 127L · 4.6 KB

├─ 📜 quick-start.js JavaScript 174L · 4.6 KB

├─ 📜 rebalance.js JavaScript 179L · 6.8 KB

├─ 📜 redeploy-coins.js JavaScript 292L · 9.4 KB

├─ 📜 restart-final.js JavaScript 261L · 8.4 KB

├─ 📜 restart-grids-fixed.js JavaScript 254L · 8.1 KB

├─ 📜 restart-grids.js JavaScript 191L · 6.1 KB

├─ 📜 save-optimized-config.js JavaScript 55L · 1.4 KB

├─ 📋 scheme_a_result.json JSON 21L · 310 B

├─ 📜 sell-btc-market.js JavaScript 165L · 5.7 KB

├─ 📜 setup-cron-monitor.js JavaScript 90L · 3.4 KB

├─ 📜 setup-cron.js JavaScript 104L · 2.8 KB

├─ 📜 smart-grid.js JavaScript 625L · 20.9 KB

├─ 📋 smart_grid_state.json JSON 61L · 1.6 KB

├─ 📜 start-avax-matic.js JavaScript 257L · 8.0 KB

├─ 📜 start-btc-grid.js JavaScript 246L · 7.6 KB

├─ 📜 start-eth-simple.js JavaScript 106L · 3.9 KB

├─ 📜 start-eth-v2.js JavaScript 106L · 3.9 KB

├─ 📜 start-eth-v3.js JavaScript 103L · 3.9 KB

├─ 📜 start-eth-v4.js JavaScript 103L · 3.9 KB

├─ 📜 start-eth-v5.js JavaScript 91L · 3.4 KB

├─ 📜 start-eth-xrp.js JavaScript 183L · 5.6 KB

├─ 📜 start-eth.js JavaScript 184L · 6.1 KB

├─ 📜 start-grids.js JavaScript 190L · 6.1 KB

├─ 📜 start-simple.js JavaScript 257L · 8.0 KB

├─ 📜 start-sol.js JavaScript 153L · 5.0 KB

├─ 📋 status.json JSON 20L · 505 B

├─ 📜 stop-btc-grid.js JavaScript 125L · 4.2 KB

├─ 📋 strategy-summary.json JSON 36L · 758 B

├─ 📝 strategy_report.md Markdown 229L · 5.1 KB

├─ 📜 test-api-debug.js JavaScript 119L · 3.7 KB

├─ 📜 test-eth-grid.js JavaScript 147L · 5.0 KB

├─ 📜 test-grid-api.js JavaScript 127L · 4.1 KB

├─ 📜 test-klines.js JavaScript 51L · 1.6 KB

├─ 📜 test-order.js JavaScript 120L · 3.7 KB

├─ 🔧 test_multi_agent.sh Shell 33L · 913 B

├─ 📜 trade-analyzer.js JavaScript 308L · 10.6 KB

├─ 📝 trading_setup.md Markdown 176L · 4.1 KB

├─ 📋 ultra_deployment_report.json JSON 47L · 1.2 KB

├─ 📜 use-sdk.js JavaScript 124L · 3.9 KB

└─ 📝 启动报告_2026-03-10.md Markdown 146L · 3.3 KB

Security positives

代码功能清晰，无混淆或隐藏的恶意行为

仅访问Bitget官方API(api.bitget.com)，无可疑外部通信

使用标准HTTPS和HMAC-SHA256签名进行API认证

包含风险警告和API权限建议(仅现货交易权限)

日志记录功能完善，便于审计