ClawHub

Crypto Analyst

Security checks across malware telemetry and agentic risk

Overview

This crypto analysis skill is mostly aligned with its purpose, but it under-discloses default execution of hard-coded scripts from other local skills and uses OKX account credentials for private balance access.

Review before installing. Use only read-only OKX API keys with trading and withdrawals disabled, avoid storing powerful exchange credentials in this skill directory, and run OKX analysis with news disabled unless you intentionally trust the separate local crypto-monitor and wire-news-aggregator helper scripts at the hard-coded paths.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
  • Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
  • Behavioral ASTexec() Call, eval() Call, Dynamic Import
  • MCP Least PrivilegeUnderdeclared Capability, Wildcard Permission, Missing Permission Declaration
Findings (10)

subprocess module call

Medium
Category
Dangerous Code Execution
Content
script_path = '/Users/yirongcao/.openclaw/skills/crypto-monitor/scripts/news.js'
        cmd = ['node', script_path, f'--coin={base_symbol}', f'--lang={lang}', f'--limit={max(20, limit * 4)}']
        
        result = subprocess.run(cmd, capture_output=True, text=True, timeout=30)
        
        if result.returncode != 0:
            return []
Confidence
93% confidence
Finding
result = subprocess.run(cmd, capture_output=True, text=True, timeout=30)

subprocess module call

Medium
Category
Dangerous Code Execution
Content
script_path = '/Users/yirongcao/.openclaw/skills/wire-news-aggregator/scripts/wire_news.py'
        cmd = ['python3', script_path, '--limit', str(max(20, limit * 4)), '--json']
        
        result = subprocess.run(cmd, capture_output=True, text=True, timeout=60)
        
        if result.returncode != 0:
            return []
Confidence
93% confidence
Finding
result = subprocess.run(cmd, capture_output=True, text=True, timeout=60)

Lp3

Medium
Category
MCP Least Privilege
Confidence
95% confidence
Finding
The skill invokes shell commands, reads local files such as .env, accesses environment-derived OKX credentials, and performs network requests, yet it declares no permissions or capability boundaries. This makes the trust boundary opaque and can cause users or orchestrators to expose secrets or allow broader execution than expected, especially because account-balance access touches private exchange data.

Tp4

High
Category
MCP Tool Poisoning
Confidence
93% confidence
Finding
The declared purpose focuses on crypto market analysis, but the skill also references reading OKX API credentials from .env and accessing private account data, plus additional external sentiment/news sources not clearly disclosed in the description. This mismatch can mislead users into granting access to sensitive secrets or allowing data flows they did not reasonably expect.

Intent-Code Divergence

High
Confidence
97% confidence
Finding
The docstring claims the script uses only public endpoints, but it actually signs requests to the private OKX account balance endpoint using API credentials. This misrepresentation can mislead users or reviewers into granting sensitive credentials under false assumptions, increasing the chance of unintended secret exposure and privileged API access.

Context-Inappropriate Capability

High
Confidence
96% confidence
Finding
A crypto analysis tool unexpectedly executes local programs from unrelated skill directories to obtain news. In this context, hidden cross-skill execution is especially risky because users would reasonably expect market-data retrieval, not arbitrary local code execution through loosely coupled helper scripts.

Vague Triggers

Medium
Confidence
88% confidence
Finding
Broad trigger phrases like '分析BTC', '行情查询', and '风险评估' are common natural-language expressions and may cause accidental activation. Unintended invocation is risky here because the skill can initiate network access and potentially use configured credentials for private exchange-related actions.

Vague Triggers

Medium
Confidence
85% confidence
Finding
The workflow says the skill should act when users say generic phrases like '分析BTC' or '帮我看看行情', which are ambiguous everyday requests. In a skill that can call external services and potentially touch private-account features, vague activation increases the chance of unintended data access or execution.

Missing User Warnings

Medium
Confidence
84% confidence
Finding
The script runs an external local program without clearly warning the user that additional code from another skill will be executed. This hidden behavior weakens user consent and makes trust decisions harder, increasing the chance that malicious or modified helper code runs unnoticed.

Missing User Warnings

Medium
Confidence
84% confidence
Finding
A second undisclosed subprocess invocation expands the same hidden execution surface, this time to a different local skill. In a trading-analysis context, undisclosed code execution is more dangerous because users may run the tool with elevated trust and network access while expecting only analytics.

VirusTotal

VirusTotal findings are pending for this skill version.

View on VirusTotal