ClawHub

Okx Trading Analyst

Security checks across malware telemetry and agentic risk

Overview

This skill mostly performs crypto market analysis, but it also has unsafe and under-disclosed local code execution paths that should be reviewed before installation.

Install only if you are comfortable reviewing or removing the Node wrapper and the default news integrations first. Do not provide an OKX secret or any API key with trading or withdrawal permissions; use read-only credentials at most, and prefer running the Python analyzer with --no-news unless you trust the referenced local news scripts.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
  • Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
  • Behavioral ASTexec() Call, eval() Call, Dynamic Import
  • MCP Least PrivilegeUnderdeclared Capability, Wildcard Permission, Missing Permission Declaration
Findings (11)

subprocess module call

Medium
Category
Dangerous Code Execution
Content
script_path = '/Users/yirongcao/.openclaw/skills/crypto-monitor/scripts/news.js'
        cmd = ['node', script_path, f'--coin={base_symbol}', f'--lang={lang}', f'--limit={max(20, limit * 4)}']
        
        result = subprocess.run(cmd, capture_output=True, text=True, timeout=30)
        
        if result.returncode != 0:
            return []
Confidence
92% confidence
Finding
result = subprocess.run(cmd, capture_output=True, text=True, timeout=30)

subprocess module call

Medium
Category
Dangerous Code Execution
Content
script_path = '/Users/yirongcao/.openclaw/skills/wire-news-aggregator/scripts/wire_news.py'
        cmd = ['python3', script_path, '--limit', str(max(20, limit * 4)), '--json']
        
        result = subprocess.run(cmd, capture_output=True, text=True, timeout=60)
        
        if result.returncode != 0:
            return []
Confidence
93% confidence
Finding
result = subprocess.run(cmd, capture_output=True, text=True, timeout=60)

Lp3

Medium
Category
MCP Least Privilege
Confidence
83% confidence
Finding
The skill metadata does not declare permissions even though the package reportedly uses environment variables, filesystem access, networking, and shell execution. That mismatch weakens user and platform visibility into what the skill can actually do, making it easier for risky capabilities to be exercised without informed consent or policy enforcement.

Tp4

High
Category
MCP Tool Poisoning
Confidence
94% confidence
Finding
This is a significant description-behavior mismatch: the skill claims to perform OKX market analysis, but static analysis indicates additional behaviors such as external news fetching, hardcoded calls to scripts outside the package, and persistent stateful monitoring. Hidden or under-disclosed behaviors are dangerous because they expand the trust boundary, can exfiltrate or ingest unexpected data, and may execute code outside the reviewed skill package.

Description-Behavior Mismatch

Medium
Confidence
88% confidence
Finding
The file extends beyond manifest-described OKX technical analysis into multi-source news aggregation and reporting. Scope expansion increases attack surface, data flows, and trust assumptions, making it easier to hide risky behavior and harder for users and reviewers to understand what the skill actually does.

Context-Inappropriate Capability

High
Confidence
95% confidence
Finding
A technical-analysis tool has no clear need to invoke a separate Node.js script from another skill directory. This unjustified capability materially increases risk because it permits execution of additional local code paths outside the reviewed file, which is especially dangerous in an agent-skill context where users expect a narrow function.

Context-Inappropriate Capability

High
Confidence
95% confidence
Finding
The skill executes another external Python script from a separate skill directory to retrieve wire news, which is an unnecessary privilege escalation for the stated purpose. In context, cross-skill execution creates a hidden trust dependency and enables lateral abuse if the other skill is tampered with.

Vague Triggers

Medium
Confidence
76% confidence
Finding
The trigger description is broad enough that the skill may activate for many general requests about crypto markets, technical indicators, or trading signals without clear boundaries. Over-broad activation can cause unintended execution of a networked, code-capable skill in contexts the user did not specifically request, increasing exposure to its undisclosed behaviors.

Missing User Warnings

Medium
Confidence
98% confidence
Finding
The script builds a shell command by concatenating user-controlled arguments such as symbol and timeframe into a single string and passes it to execSync, which invokes a shell. An attacker could supply shell metacharacters to execute arbitrary commands on the host running the skill, making this a command injection vulnerability.

Missing User Warnings

Medium
Confidence
86% confidence
Finding
The skill runs an external Node.js script without clear user-facing disclosure, so users may believe only OKX API access is occurring while local cross-skill code is also being executed. Hidden execution paths reduce informed consent and make malicious or unsafe behavior harder to detect.

Missing User Warnings

Medium
Confidence
86% confidence
Finding
The wire-news subprocess is also not clearly disclosed to the user, despite executing code outside the current skill. In an agent context, undisclosed local code execution is security-relevant because it obscures actual capabilities and trust boundaries.

VirusTotal

65/65 vendors flagged this skill as clean.

View on VirusTotal