Skill Trust Decision

Bitget Trader

Name: Bitget Trader Trust Review Report
Item: Bitget Trader
Rating: 55
Author: ClawSafe

Legitimate cryptocurrency trading automation for Bitget exchange with critically sensitive API credentials embedded in plaintext config files, representing significant credential theft risk if compromised.

Install decision first Source: Manual upload Scanned: Apr 4, 2026

Files 137

Artifacts 10

Violations 2

Findings 4

Most direct threat evidence

Critical Credential Theft

Exposed API Credentials in Plaintext

Real Bitget exchange API credentials (apiKey, secretKey, passphrase) are embedded in plaintext in config.json and multi_agent_config.json. These credentials enable spot trading and could be harvested for unauthorized trading or fund theft.

config.json:1

Why this conclusion was reached

2/4 dimensions flagged

Block

Declared vs actual capability

2 undeclared or violating capabilities were inferred.

Review

Hidden execution and egress

10 lower-risk artifacts were extracted and still need context.

Block

Attack chain and severe findings

The report includes 3 attack-chain steps and 1 severe findings.

Pass

Dependencies and supply chain hygiene

Dependencies are present but no obvious high-risk issue stands out.

Attack Chain

Attacker gains read access to workspace directory

reconnaissance · config.json:1

Extracts plaintext API credentials from config.json or multi_agent_config.json

Impact · config.json:2

Uses harvested credentials to execute unauthorized trades on Bitget exchange

Impact · api.bitget.com

What drove the risk score up

Exposed API credentials in config files +25

Real Bitget API keys, secret keys, and passphrase embedded in plaintext in config.json and multi_agent_config.json

No declared credential handling policy +10

SKILL.md instructs users to save credentials but doesn't warn about security implications

Legitimate shell execution via child_process +5

execSync used in setup-cron.js and bitget-cli.js for running openclaw commands, documented but broad

Network access to legitimate API only +-5

All network requests go to api.bitget.com - no suspicious external connections

Most important evidence

Critical Credential Theft

Exposed API Credentials in Plaintext

config.json:1

Use environment variables (BITGET_API_KEY, BITGET_SECRET_KEY) instead of storing credentials in files. Add config.json to .gitignore immediately.

Medium Doc Mismatch

Network Capability Mismatch

SKILL.md declares network:READ but the scripts perform POST requests to place/cancel orders, representing WRITE operations on the exchange.

SKILL.md:1

Update SKILL.md to declare network:WRITE permission and document all trading capabilities

Medium Priv Escalation

Undeclared Shell Execution

setup-cron.js and bitget-cli.js use execSync to run openclaw CLI commands and spawn Node.js scripts. This shell:WRITE capability is not declared in SKILL.md.

setup-cron.js:28

Document shell execution requirements in SKILL.md if intentional, or refactor to use native Node.js APIs

Low Supply Chain

HttpsProxyAgent Dependency

Some scripts reference https-proxy-agent package for proxy support, but this external dependency is not declared in any requirements.txt or package.json.

rebalance.js:8

Create package.json to document all dependencies and versions

Declared capability vs actual capability

Filesystem Pass

Declared READ

→

Inferred READ

All scripts read config.json and grid_settings.json

Network Block

Declared READ

→

Inferred WRITE

Places/cancels orders, not just reads data

Shell Block

Declared NONE

→

Inferred WRITE

setup-cron.js:28, bitget-cli.js:89 use execSync

Skill Invoke Pass

Declared NONE

→

Inferred READ

CLI dispatches to other scripts via execSync

Suspicious artifacts and egress

Medium External URL

https://api.bitget.com/api/v2/spot/market/tickers?symbol=SOLUSDT

GRID_STATUS_2026-03-17_2208.md:117

Medium External URL

https://www.bitget.com

MANUAL_SETUP.md:26

Medium External URL

https://api.bitget.com

MULTI_AGENT_SETUP_GUIDE.md:331

Medium External URL

https://www.google.com

MULTI_AGENT_TEST_REPORT_2026-03-17.md:189

Medium External URL

https://www.investopedia.com/

QUANT_SYSTEM.md:233

Medium External URL

https://www.quantconnect.com/

QUANT_SYSTEM.md:234

Medium External URL

http://127.0.0.1:7897

README.md:242

Medium External URL

https://api.bitget.com$

dynamic-adjust-v2.js:14

Medium External URL

https://api.binance.com/api/v3/klines?symbol=$

dynamic-adjust.js:16

Medium External URL

https://api.binance.com/api/v3/ticker/price?symbol=$

dynamic-adjust.js:45

Dependencies and supply chain

Package	Version	Source	Known vuln	Notes
https-proxy-agent	`unknown`	implicit	No	Referenced in code but not in declared dependencies
Node.js built-ins	`N/A`	stdlib	No	fs, crypto, path, https, http, child_process

File composition

137 files · 22340 lines

JavaScript 74 files · 13942 linesMarkdown 39 files · 7314 linesJSON 21 files · 1007 linesShell 3 files · 77 lines

Files of concern · 3

config.json JSON · 6 lines

Exposed API Credentials in Plaintext

dynamic-adjust-v2.js JavaScript · 326 lines

https://api.bitget.com$

dynamic-adjust.js JavaScript · 310 lines

https://api.binance.com/api/v3/klines?symbol=$ · https://api.binance.com/api/v3/ticker/price?symbol=$

Other files · smart-grid.js · multi_agent_controller.js · quant-trader.js · apply-scheme-a-final.js · deploy-highfreq-grids.js · trade-analyzer.js +3

137 files · 662.8 KB · 22340 lines

JavaScript 74f · 13942LMarkdown 39f · 7314LJSON 21f · 1007LShell 3f · 77L

├─ ▾ 📁 snapshots

│ └─ 📋 2026-03-07.json JSON 10L · 190 B

├─ 📝 COIN_ANALYSIS_REPORT.md Markdown 241L · 5.9 KB

├─ 📝 DECISION_SUMMARY_2026-03-17_2236.md Markdown 137L · 3.1 KB

├─ 📝 DEPLOYMENT_REPORT_2026-03-17_2138.md Markdown 197L · 4.2 KB

├─ 📝 DYNAMIC_STRATEGY_REPORT.md Markdown 280L · 6.2 KB

├─ 📝 ETH_GRID_REPORT.md Markdown 128L · 3.2 KB

├─ 📝 FINAL_DEPLOYMENT_2026-03-17_2220.md Markdown 339L · 7.0 KB

├─ 📝 GRID_DEPLOYMENT_SUCCESS_2026-03-17.md Markdown 137L · 3.5 KB

├─ 📝 GRID_OPTIMIZATION_REPORT.md Markdown 278L · 6.1 KB

├─ 📝 GRID_OPTIMIZATION_REPORT_2026-03-17.md Markdown 142L · 3.9 KB

├─ 📝 GRID_RESTARTED_2026-03-17.md Markdown 118L · 2.6 KB

├─ 📝 GRID_RESTORED_2026-03-17.md Markdown 99L · 2.1 KB

├─ 📝 GRID_STATUS_2026-03-17_2208.md Markdown 219L · 4.1 KB

├─ 📝 GRID_STATUS_REPORT.md Markdown 172L · 4.1 KB

├─ 📝 GRID_STOPPED_2026-03-17.md Markdown 84L · 1.9 KB

├─ 📝 HIGHFREQ_SETUP_COMPLETE.md Markdown 189L · 4.3 KB

├─ 📝 MANUAL_SETUP.md Markdown 159L · 3.0 KB

├─ 📝 MULTI_AGENT_SETUP_GUIDE.md Markdown 369L · 7.5 KB

├─ 📝 MULTI_AGENT_TEST_REPORT_2026-03-17.md Markdown 318L · 7.0 KB

├─ 📝 NEW_COINS_ANALYSIS.md Markdown 137L · 3.0 KB

├─ 📝 OPTIMIZATION_REPORT.md Markdown 235L · 4.9 KB

├─ 📝 QUANT_STRATEGY.md Markdown 252L · 5.4 KB

├─ 📝 QUANT_SYSTEM.md Markdown 243L · 5.0 KB

├─ 📝 README.md Markdown 301L · 6.3 KB

├─ 📝 REDEPLOY_COMPLETE.md Markdown 157L · 4.0 KB

├─ 📝 REDEPLOY_REPORT_2026-03-17_2158.md Markdown 223L · 4.9 KB

├─ 📝 RUNNING_STATUS.md Markdown 92L · 1.9 KB

├─ 📝 SCHEME_A_MANUAL.md Markdown 180L · 3.9 KB

├─ 📝 SKILL.md Markdown 277L · 6.9 KB

├─ 📝 STARTUP_REPORT.md Markdown 60L · 1.2 KB

├─ 📝 STATUS_REPORT.md Markdown 159L · 3.5 KB

├─ 📝 STATUS_SUMMARY_2026-03-17_2230.md Markdown 243L · 4.7 KB

├─ 📝 STRATEGY_SUMMARY.md Markdown 148L · 3.2 KB

├─ 📝 TRADING_DECISION_2026-03-17_2235.md Markdown 228L · 5.7 KB

├─ 📝 UNLIMITED_MODE.md Markdown 73L · 2.0 KB

├─ 📜 analyze-coins.js JavaScript 145L · 5.7 KB

├─ 📜 analyze-orders.js JavaScript 200L · 7.8 KB

├─ 📜 analyze-strategy.js JavaScript 214L · 7.2 KB

├─ 📜 apply-dynamic-grid.js JavaScript 101L · 3.8 KB

├─ 📜 apply-highfreq.js JavaScript 55L · 2.2 KB

├─ 📜 apply-scheme-a-final.js JavaScript 309L · 11.0 KB

├─ 📜 apply-scheme-a-v2.js JavaScript 281L · 10.2 KB

├─ 📜 apply-scheme-a.js JavaScript 262L · 9.5 KB

├─ 📜 auto-monitor.js JavaScript 290L · 10.2 KB

├─ 📜 bitget-cli.js JavaScript 168L · 4.8 KB

├─ 📜 buy-bnb-limit.js JavaScript 93L · 3.2 KB

├─ 📜 buy-bnb-market.js JavaScript 98L · 3.4 KB

├─ 📜 buy-eth-market.js JavaScript 82L · 2.8 KB

├─ 📜 cancel-all-btc.js JavaScript 135L · 4.8 KB

├─ 📜 cancel-all-orders.js JavaScript 137L · 4.3 KB

├─ 📜 cancel-all.js JavaScript 130L · 4.7 KB

├─ 📜 check-balance.js JavaScript 117L · 3.6 KB

├─ 📜 check-prices.js JavaScript 122L · 5.0 KB

├─ 🔑 config.json ⚠ JSON 6L · 190 B

├─ 📋 conservative_deployment_report.json JSON 47L · 1.1 KB

├─ 📜 create-highfreq-config.js JavaScript 93L · 3.8 KB

├─ 📋 cron_config.json JSON 33L · 1.4 KB

├─ 📝 daily_report.md Markdown 31L · 490 B

├─ 📜 debug-orders.js JavaScript 117L · 4.3 KB

├─ 📜 deploy-bnb-grid.js JavaScript 127L · 4.4 KB

├─ 📜 deploy-bnb-new.js JavaScript 101L · 3.7 KB

├─ 📜 deploy-conservative.js JavaScript 293L · 9.3 KB

├─ 📜 deploy-dynamic-grid.js JavaScript 145L · 4.8 KB

├─ 📜 deploy-eth-buys.js JavaScript 92L · 3.1 KB

├─ 📜 deploy-eth-grid.js JavaScript 134L · 4.9 KB

├─ 📜 deploy-highfreq-grids.js JavaScript 325L · 10.6 KB

├─ 📜 deploy-sell-orders.js JavaScript 162L · 5.2 KB

├─ 📜 deploy-simple-grid.js JavaScript 206L · 6.7 KB

├─ 📜 deploy-ultra-grids-v2.js JavaScript 318L · 10.3 KB

├─ 📜 deploy-ultra-grids.js JavaScript 256L · 7.8 KB

├─ 📜 dynamic-adjust-v2.js JavaScript 326L · 12.1 KB

├─ 📜 dynamic-adjust.js JavaScript 310L · 11.3 KB

├─ 📜 dynamic-rebalance.js JavaScript 295L · 9.3 KB

├─ 📋 dynamic_adjustments.json JSON 8L · 143 B

├─ 📜 grid-optimizer.js JavaScript 267L · 10.3 KB

├─ 📋 grid_settings.json JSON 55L · 1.3 KB

├─ 📋 grid_settings_adjusted.json JSON 58L · 1.7 KB

├─ 📋 grid_settings_conservative.json JSON 58L · 1.5 KB

├─ 📋 grid_settings_highfreq.json JSON 62L · 1.8 KB

├─ 📋 grid_settings_minimal.json JSON 58L · 1.4 KB

├─ 📋 grid_settings_optimized.json JSON 30L · 790 B

├─ 📋 grid_settings_standard.json JSON 58L · 1.4 KB

├─ 📋 grid_settings_ultra.json JSON 58L · 1.5 KB

├─ 📋 highfreq_deployment_report.json JSON 39L · 1.1 KB

├─ 📜 kline-analyzer.js JavaScript 235L · 9.3 KB

├─ 🔧 monitor-cron.sh Shell 18L · 529 B

├─ 📜 monitor-fixed.js JavaScript 191L · 5.8 KB

├─ 📜 monitor-grid.js JavaScript 195L · 6.0 KB

├─ 🔧 monitor-wrapper.sh Shell 26L · 632 B

├─ 📋 monitor_state.json JSON 116L · 2.9 KB

├─ 📋 multi_agent_config.json JSON 126L · 3.2 KB

├─ 📜 multi_agent_controller.js JavaScript 452L · 14.8 KB

├─ 📝 multi_coin_analysis.md Markdown 118L · 2.9 KB

├─ 📜 optimize-grids.js JavaScript 247L · 7.9 KB

├─ 📜 optimize-strategy.js JavaScript 178L · 6.7 KB

├─ 📜 quant-trader.js JavaScript 321L · 11.2 KB

├─ 📜 quick-report.js JavaScript 127L · 4.6 KB

├─ 📜 quick-start.js JavaScript 174L · 4.6 KB

├─ 📜 rebalance.js JavaScript 179L · 6.8 KB

├─ 📜 redeploy-coins.js JavaScript 292L · 9.4 KB

├─ 📜 restart-final.js JavaScript 261L · 8.4 KB

├─ 📜 restart-grids-fixed.js JavaScript 254L · 8.1 KB

├─ 📜 restart-grids.js JavaScript 191L · 6.1 KB

├─ 📜 save-optimized-config.js JavaScript 55L · 1.4 KB

├─ 📋 scheme_a_result.json JSON 21L · 310 B

├─ 📜 sell-btc-market.js JavaScript 165L · 5.7 KB

├─ 📜 setup-cron-monitor.js JavaScript 90L · 3.4 KB

├─ 📜 setup-cron.js JavaScript 104L · 2.8 KB

├─ 📜 smart-grid.js JavaScript 625L · 20.9 KB

├─ 📋 smart_grid_state.json JSON 61L · 1.6 KB

├─ 📜 start-avax-matic.js JavaScript 257L · 8.0 KB

├─ 📜 start-btc-grid.js JavaScript 246L · 7.6 KB

├─ 📜 start-eth-simple.js JavaScript 106L · 3.9 KB

├─ 📜 start-eth-v2.js JavaScript 106L · 3.9 KB

├─ 📜 start-eth-v3.js JavaScript 103L · 3.9 KB

├─ 📜 start-eth-v4.js JavaScript 103L · 3.9 KB

├─ 📜 start-eth-v5.js JavaScript 91L · 3.4 KB

├─ 📜 start-eth-xrp.js JavaScript 183L · 5.6 KB

├─ 📜 start-eth.js JavaScript 184L · 6.1 KB

├─ 📜 start-grids.js JavaScript 190L · 6.1 KB

├─ 📜 start-simple.js JavaScript 257L · 8.0 KB

├─ 📜 start-sol.js JavaScript 153L · 5.0 KB

├─ 📋 status.json JSON 20L · 505 B

├─ 📜 stop-btc-grid.js JavaScript 125L · 4.2 KB

├─ 📋 strategy-summary.json JSON 36L · 758 B

├─ 📝 strategy_report.md Markdown 229L · 5.1 KB

├─ 📜 test-api-debug.js JavaScript 119L · 3.7 KB

├─ 📜 test-eth-grid.js JavaScript 147L · 5.0 KB

├─ 📜 test-grid-api.js JavaScript 127L · 4.1 KB

├─ 📜 test-klines.js JavaScript 51L · 1.6 KB

├─ 📜 test-order.js JavaScript 120L · 3.7 KB

├─ 🔧 test_multi_agent.sh Shell 33L · 913 B

├─ 📜 trade-analyzer.js JavaScript 308L · 10.6 KB

├─ 📝 trading_setup.md Markdown 176L · 4.1 KB

├─ 📋 ultra_deployment_report.json JSON 47L · 1.2 KB

├─ 📜 use-sdk.js JavaScript 124L · 3.9 KB

└─ 📝 启动报告_2026-03-10.md Markdown 146L · 3.3 KB

Security positives

All network requests go to legitimate Bitget API (api.bitget.com)

No base64-encoded malicious code or obfuscation detected

No remote code execution via curl|bash patterns

No credential exfiltration to external servers

Proper HMAC-SHA256 API signing implemented correctly

No hidden backdoor functionality discovered

No evidence of C2 communication or data theft

No sensitive file access (.ssh, .aws, .env) beyond documented config paths