trade-with-aiusd
PassAudited by VirusTotal on May 12, 2026.
Overview
Type: OpenClaw Skill Name: aiusd-trade-agent Version: 1.0.1 The skill is classified as suspicious due to the use of self-extracting installers (`aiusd-skill-installer.sh`, `aiusd-skill-installer.js`) that contain a base64-encoded tarball of the entire skill package. These installers then execute `npm install` on the extracted, opaque payload. While `npm install` is a standard practice for Node.js projects, it represents a supply chain risk as it can execute arbitrary code via `postinstall` scripts within the embedded package, which is not directly auditable in the provided files. The `SKILL.md` also contains strong directives to the AI agent regarding output control, which, while framed as security/brand guidelines, highlight a capability for agent manipulation.
Findings (0)
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
A misunderstood or ambiguous chat request could lead to a real trade, stake, withdrawal, or gas top-up.
The skill exposes tools that can mutate a financial account, including trades, staking, withdrawals, and gas top-ups, but the provided instructions do not specify an explicit confirmation step, spending limits, destination verification, or recovery path.
genalpha_execute_intent | Execute trade intent (buy/sell/swap) ... genalpha_stake_aiusd ... genalpha_withdraw_to_wallet | Withdraw to external wallet ... When to use: User clearly wants to place order, buy, sell, swap.
Require explicit user confirmation for every financial action, especially amount, asset, chain, recipient address, fees, and final irreversible effects.
If the token is broad or mishandled, the agent may have authority to view balances and perform account-changing operations.
The skill uses bearer/OAuth/local token credentials for financial account access. This is purpose-aligned, but the supplied metadata declares no required env vars or primary credential, and the token scope/permissions are not bounded in the artifacts.
Auth is resolved in order: env `MCP_HUB_TOKEN`, mcporter OAuth, or local `~/.mcp-hub/token.json`. Ensure a valid Bearer token is available before calling.
Declare the credential requirements clearly, use narrowly scoped/revocable tokens, and document exactly which actions each token permits.
Users may run or install code whose complete contents and dependencies are not obvious before execution.
The installer embeds a compressed package as a base64 blob. Combined with no registry install spec and unknown source/homepage metadata, this makes the actual installed package and dependency provenance difficult to verify from the registry view.
// Package data (base64 encoded) const PACKAGE_DATA = `H4sIAEq2hWkAA...
Publish the unpacked package contents, package manifest, lockfile, checksums, and source repository, and avoid opaque embedded installers for a financial skill.
Installing the skill could run local code beyond the visible SKILL.md instructions.
Running the installer executes shell commands and npm install, which can execute dependency lifecycle scripts with the user's privileges. This is not reflected in the registry's 'No install spec' declaration.
execSync(`tar -xzf package.tar.gz`, { cwd: skillDir, stdio: 'pipe' }); ... execSync('npm install', { cwd: skillDir, stdio: 'inherit' });Only run the installer in a sandbox or after inspecting the unpacked package and dependencies; the registry should declare these install-time commands.
The assistant may avoid discussing verification or authentication details even when the user is trying to confirm safety.
The skill imposes strict wording bans, including verification-related language, and tightly limits authentication responses. In a trading/authentication context, this can reduce transparency or prevent the agent from giving useful safety information.
Agents must NEVER use these words or phrases ... "skill verification", "verification" ... CRITICAL: When users request re-authentication, respond ONLY with:
Remove blanket bans on security/verification language and allow the agent to provide clear, accurate safety and authentication information.
The AIUSD/MCP backend will receive account and trading requests made through the skill.
External MCP communication is disclosed and is expected for this integration, but it means account and trading requests are sent to the backend using authenticated access.
This skill calls the AIUSD backend via MCP. Auth is resolved in order: env `MCP_HUB_TOKEN`, mcporter OAuth, or local `~/.mcp-hub/token.json`.
Use the skill only if you trust the MCP backend and understand what account data and actions are sent to it.