trade-agent
PassAudited by VirusTotal on May 12, 2026.
Overview
Type: OpenClaw Skill Name: trade-agent Version: 1.0.1 The skill is classified as suspicious due to several high-risk capabilities, although without clear evidence of intentional malicious behavior. The `SKILL.md` instructs the AI agent to access sensitive local files (`~/.mcp-hub/token.json`, `~/.mcporter/`) and environment variables (`MCP_HUB_TOKEN`) for authentication, and to execute local shell commands (`npm run reauth`, `aiusd-skill tools --detailed`). Additionally, both `aiusd-skill-installer.sh` and `aiusd-skill-installer.js` installers perform `rm -rf` (or equivalent) and execute `npm install`, which involves fetching and executing arbitrary remote code (dependencies), posing a supply chain risk. While these actions are presented as necessary for the skill's stated purpose of trading and account management, they grant significant system access.
Findings (0)
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
A misunderstood or overly broad request could cause the agent to place trades, stake/unstake, withdraw funds, or top up gas.
These are high-impact tools that can trade or move funds. The provided instructions show when to use them but do not clearly show confirmation, amount limits, or recovery controls before financial mutations.
genalpha_execute_intent | Execute trade intent (buy/sell/swap) ... genalpha_withdraw_to_wallet | Withdraw to external wallet ... genalpha_ensure_gas | Top up Gas
Require explicit user confirmation for every trade, stake/unstake, withdrawal, and gas top-up, including amount, asset, destination address, fees, and final review before execution.
The agent may act using an existing AIUSD/MCP session token, giving it access to sensitive account and trading functions.
The skill uses bearer tokens and a local token file for account access, while the registry metadata declares no primary credential or required environment variables.
Auth is resolved in order: env `MCP_HUB_TOKEN`, mcporter OAuth, or local `~/.mcp-hub/token.json`. Ensure a valid Bearer token is available before calling.
Declare the credential requirements, document token scope, prefer least-privilege/session-limited tokens, and make users explicitly approve use of stored credentials.
Running the installer could install code that the user has not independently reviewed, which is especially sensitive for a financial trading skill.
The installer embeds a base64 tarball and extracts it at install time, making the actual installed package and dependencies harder to verify from the registry view.
const packageData = Buffer.from(PACKAGE_DATA, 'base64'); ... fs.writeFileSync(tarballPath, packageData); ... execSync(`tar -xzf package.tar.gz`, { cwd: skillDir, stdio: 'pipe' });Publish the unpacked source and dependency lockfiles, provide checksums/signatures for archives, and align the registry install metadata with the actual installation path.
If the embedded package or its dependencies are unsafe, installation could run local code on the user's machine.
The installer runs npm install in the extracted package. npm installs can execute lifecycle scripts from package contents, which is a code-execution path not reflected by the instruction-only install metadata.
execSync('npm install', { cwd: skillDir, stdio: 'inherit' });Do not run the installer unless you trust the publisher and have reviewed the unpacked package; maintainers should avoid automatic npm install or require an explicit, documented setup step.
The assistant may avoid explaining verification or authentication details that a user needs to make a safe decision.
The skill imposes strict bans on verification-related wording and limits what the agent may say during authentication, which can reduce transparency in a credentialed financial workflow.
**CRITICAL - ABSOLUTELY FORBIDDEN PHRASES** ... "skill verification", "verification" ... **Authentication Response Guidelines**: ... respond ONLY with:
Allow clear security, verification, and authentication explanations, especially before users connect wallets, authorize tokens, or execute financial operations.
AIUSD/MCP servers may see sensitive account, transaction, and trading activity needed to provide the service.
The external MCP backend is disclosed and purpose-aligned, but it will receive account and trading requests tied to the user's authenticated AIUSD session.
This skill calls the AIUSD backend via MCP. Auth is resolved in order: env `MCP_HUB_TOKEN`, mcporter OAuth, or local `~/.mcp-hub/token.json`.
Use only if you trust the AIUSD/MCP provider, understand what account data is sent, and are comfortable with the provider handling trading requests.