Crypto Market Intel

Security checks across malware telemetry and agentic risk

Overview

This skill fetches public market data and saves local JSON files, with no evidence of hidden data access, credential use, or automatic persistence.

Install only if you are comfortable with the skill contacting CoinGecko, Alternative.me, DeFi Llama, and Yahoo Finance and writing market-data JSON files to your chosen directory. Add the cron job only if you want ongoing hourly refreshes, and remove it when no longer needed. Treat generated market summaries or trading signals as informational, not financial advice.

SkillSpector

By NVIDIA

Vulnerability Patterns

Rogue AgentSelf-Modification, Session Persistence
MCP Least PrivilegeUnderdeclared Capability, Wildcard Permission, Missing Permission Declaration
Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access

Findings (2)

Lp3

Medium

Category: MCP Least Privilege
Confidence: 97% confidence
Finding: The skill advertises and instructs the use of network access and local file writes, but the metadata shown in this file does not declare corresponding permissions. That mismatch is dangerous because agents or operators may invoke the skill without realizing it can exfiltrate data over the network or persist files to user-controlled locations such as ~/market-data.

Session Persistence

Medium

Category: Rogue Agent
Content: Schedule hourly market data fetches: ```bash crontab -e # Fetch market data every hour 0 * * * * cd ~/.openclaw/skills/crypto-market-intel/scripts && python3 market-data-fetcher.py all --output ~/market-data
Confidence: 94% confidence
Finding: crontab -e

VirusTotal

66/66 vendors flagged this skill as clean.

View on VirusTotal