Skill Trust Decision

grid-trading-pro

Name: grid-trading-pro Trust Review Report
Item: grid-trading-pro
Rating: 55
Author: ClawSafe

文档声称实现网格交易自动化，但代码仅为模拟演示，缺少实际交易逻辑和API集成，存在明显的文档欺骗

Install decision first Source: ClawHub Scanned: 13 days ago

Files 5

Artifacts 3

Violations 0

Findings 5

Why this conclusion was reached

0/4 dimensions flagged

Pass

Declared vs actual capability

Declared resources and inferred behavior are broadly aligned.

Review

Hidden execution and egress

3 lower-risk artifacts were extracted and still need context.

Pass

Attack chain and severe findings

There is no explicit malicious chain in the report.

Pass

Dependencies and supply chain hygiene

Dependencies are present but no obvious high-risk issue stands out.

What drove the risk score up

文档欺骗 +25

SKILL.md描述的功能（通知、报告导出、真实API调用）在代码中完全缺失

声明-行为严重不符 +15

文档描述自动交易，代码仅为价格模拟，无实际交易所交互

过度声明权限 +5

SKILL.md声明需要BINANCE_API_KEY/SECRET_KEY但代码不读取任何环境变量

Most important evidence

Medium Doc Mismatch

文档描述的通知功能未实现

SKILL.md详细描述了Telegram/Discord/Email通知配置，包括SMTP设置，但index.js中完全没有notification相关代码

index.js:1

如果声明了通知功能，应在代码中实现；如果不需要，应从文档中移除

Medium Doc Mismatch

声称真实交易所API集成，实际为模拟

SKILL.md声称'Automatically creates optimal grid levels'和'exchanges API'，但代码使用Math.random()模拟价格，无任何ccxt库调用

index.js:137

应使用ccxt库实际连接交易所，或明确标注为模拟模式

Medium Doc Mismatch

报告导出功能缺失

SKILL.md提到'Export reports (CSV/PDF)'，但getReport()方法仅返回JSON对象，无文件生成逻辑

index.js:181

实现CSV/PDF导出功能或从文档中移除该功能

Medium Doc Mismatch

自动调整网格功能缺失

SKILL.md声称'Adjusts grids based on volatility'，但initializeGrids()使用固定间距，无波动率自适应逻辑

index.js:31

实现基于历史波动率的动态网格调整

Low Supply Chain

声明依赖ccxt但未使用

package.json声明依赖ccxt@^4.0.0，但index.js中完全没有require('ccxt')或ccxt相关代码

package.json:17

如需真实交易所集成，应实际使用ccxt库；否则移除该依赖

Declared capability vs actual capability

Filesystem Pass

Declared NONE

→

Inferred NONE

代码无文件读写操作

Network Pass

Declared READ

→

Inferred NONE

代码无任何网络请求，仅使用Math.random()模拟价格

Shell Pass

Declared NONE

→

Inferred NONE

无subprocess或exec调用

Environment Pass

Declared READ

→

Inferred NONE

声明需要BINANCE_API_KEY但代码从未读取process.env

Database Pass

Declared NONE

→

Inferred NONE

无数据库操作

Suspicious artifacts and egress

Medium External URL

https://discord.com/api/webhooks/...

README.md:288

Info Email

[email protected]

README.md:295

Info Email

[email protected]

README.md:482

Dependencies and supply chain

Package	Version	Source	Known vuln	Notes
ccxt	`^4.0.0`	npm	No	声明了ccxt依赖但代码中完全未使用

File composition

5 files · 1260 lines

Markdown 2 files · 976 linesJavaScript 1 files · 233 linesJSON 2 files · 51 lines

Files of concern · 3

README.md Markdown · 488 lines

https://discord.com/api/webhooks/... · [email protected] · [email protected]

index.js JavaScript · 233 lines

文档描述的通知功能未实现 · 声称真实交易所API集成，实际为模拟 · 报告导出功能缺失 · 自动调整网格功能缺失

package.json JSON · 27 lines

声明依赖ccxt但未使用

Other files · SKILL.md · _meta.json

Security positives

代码无恶意行为，无凭证窃取

无shell执行或系统命令调用

无敏感文件访问或环境变量窃取

代码结构清晰，为纯JavaScript类实现