critical
suspicious.dangerous_exec
- Location
- scripts/lib/__tests__/create-wallet.test.js:24
- Finding
- Shell command execution detected (child_process).
xaut-trade
AdvisoryAudited by Static analysis on May 10, 2026.
Overview
Detected: suspicious.dangerous_exec, suspicious.env_credential_access, suspicious.exposed_secret_literal (+1 more)
Findings (8)
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
What this means
A small trade can spend funds and gas if the agent interprets the user's request as executable, even if the user expected a final confirmation step.
Why it was flagged
This explicitly allows a real on-chain swap below the configured threshold to proceed after a preview without waiting for a fresh user confirmation.
Skill content
- `< risk.confirm_trade_usd`: show full preview, then execute without blocking confirmation
Recommendation
Require explicit confirmation for every approve, swap, and cancel action; set `confirm_trade_usd` to 0 and `approve_confirmation_mode` to `always` if you install it.
What this means
If configured with a funded wallet, the skill can authorize blockchain approvals, swaps, limit orders, and cancellations involving real assets.
Why it was flagged
The skill clearly discloses that wallet access and signing authority are central to its operation.
Skill content
**By design**: this skill executes on-chain financial transactions ... Direct wallet access and transaction signing are core capabilities
Recommendation
Use a dedicated low-balance wallet, keep seed phrases out of chat, protect password files, and review every transaction before allowing execution.
What this means
Running the installer gives remote setup code access to the local machine.
Why it was flagged
The Foundry setup path downloads and executes a remote installer, which is disclosed and optional for Foundry mode but still requires trust in the upstream installer.
Skill content
curl -L https://foundry.paradigm.xyz | bash && ... foundryup
Recommendation
Prefer WDK mode if you do not need Foundry, or download and inspect the Foundry installer before running it.
What this means
If the resolved path is not the installed skill's script, the agent could run unintended local shell code.
Why it was flagged
The automated setup instructions can locate and execute a setup.sh from the user's home directory; this is intended setup behavior, but the path should be verified before execution.
Skill content
find "$HOME" -maxdepth 6 -type f -path "*/xaut-trade/scripts/setup.sh" ... && bash "$SETUP_PATH"
Recommendation
Have the agent print the resolved setup path first, confirm it is inside the installed xaut-trade skill directory, and inspect the script before running it.
What this means
Requests about betting, perps, leverage, or other markets may be handed to separate skills with their own permissions and risks.
Why it was flagged
The skill may route non-XAUT financial intents to other skills, expanding the effective trust boundary beyond this package.
Skill content
Delegates non-XAUT intents to registered skills (e.g. Polymarket prediction markets, Hyperliquid trading).
Recommendation
Verify which delegate skills are installed and ensure they also require explicit confirmation before any financial action.
Findings (8)
critical
suspicious.dangerous_exec
- Location
- scripts/limit-order.js:186
- Finding
- Shell command execution detected (child_process).
critical
suspicious.env_credential_access
- Location
- scripts/limit-order.js:134
- Finding
- Environment variable access combined with network send.
critical
suspicious.env_credential_access
- Location
- scripts/setup.sh:589
- Finding
- Environment variable access combined with network send.
critical
suspicious.exposed_secret_literal
- Location
- scripts/__tests__/wallet-init.test.js:31
- Finding
- File appears to expose a hardcoded API secret or token.
critical
suspicious.exposed_secret_literal
- Location
- scripts/lib/__tests__/create-wallet.test.js:152
- Finding
- File appears to expose a hardcoded API secret or token.
critical
suspicious.exposed_secret_literal
- Location
- scripts/lib/__tests__/signer.test.js:109
- Finding
- File appears to expose a hardcoded API secret or token.
critical
suspicious.secret_argv_exposure
- Location
- references/live-trading-runbook.md:18
- Finding
- Instructions pass high-value credentials through process argv.