Back to skill

Security audit

Crypto Analyst

Security checks across malware telemetry and agentic risk

Overview

This crypto-analysis skill is mostly purpose-aligned, but it under-discloses private OKX account access and runs hard-coded external local scripts during normal analysis.

Review before installing. Use only read-only OKX API credentials with no trading or withdrawal permissions, avoid the balance checker unless you intentionally want private account-balance output, and run OKX analysis with --no-news unless you have inspected and trust the hard-coded helper scripts at the referenced local paths.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
  • Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
  • Behavioral ASTexec() Call, eval() Call, Dynamic Import
  • MCP Least PrivilegeUnderdeclared Capability, Wildcard Permission, Missing Permission Declaration
Findings (10)

subprocess module call

Medium
Category
Dangerous Code Execution
Content
script_path = '/Users/yirongcao/.openclaw/skills/crypto-monitor/scripts/news.js'
        cmd = ['node', script_path, f'--coin={base_symbol}', f'--lang={lang}', f'--limit={max(20, limit * 4)}']
        
        result = subprocess.run(cmd, capture_output=True, text=True, timeout=30)
        
        if result.returncode != 0:
            return []
Confidence
88% confidence
Finding
result = subprocess.run(cmd, capture_output=True, text=True, timeout=30)

subprocess module call

Medium
Category
Dangerous Code Execution
Content
script_path = '/Users/yirongcao/.openclaw/skills/wire-news-aggregator/scripts/wire_news.py'
        cmd = ['python3', script_path, '--limit', str(max(20, limit * 4)), '--json']
        
        result = subprocess.run(cmd, capture_output=True, text=True, timeout=60)
        
        if result.returncode != 0:
            return []
Confidence
88% confidence
Finding
result = subprocess.run(cmd, capture_output=True, text=True, timeout=60)

Lp3

Medium
Category
MCP Least Privilege
Confidence
92% confidence
Finding
The skill advertises and documents capabilities that require network access, shell execution, file reads, and environment variable access, yet it declares no permissions. This creates a transparency and trust failure: a user or platform may authorize or invoke the skill without understanding that it can reach external services and access local secrets such as .env-based API keys.

Tp4

High
Category
MCP Tool Poisoning
Confidence
94% confidence
Finding
The documented behavior extends beyond the stated purpose by accessing private OKX account data via local .env credentials and by invoking external/news-related scripts outside the described exchange-analysis scope. This mismatch is dangerous because users may reasonably expect only public market analysis, while the skill can access sensitive account information and undisclosed external integrations.

Intent-Code Divergence

Medium
Confidence
96% confidence
Finding
The module docstring is misleading: it states the script uses only public endpoints, but the implementation signs and sends an authenticated request to the private OKX account balance API. That mismatch can cause users to run the script under a false sense of safety and provide API credentials unnecessarily, increasing the chance of credential misuse or accidental exposure.

Context-Inappropriate Capability

Medium
Confidence
90% confidence
Finding
The skill expands its capabilities beyond technical analysis by executing external local scripts to gather news. In an agent environment, this is dangerous because it introduces hidden execution paths and cross-component trust that are not necessary for the stated purpose, increasing the attack surface substantially.

Description-Behavior Mismatch

Medium
Confidence
91% confidence
Finding
The implementation depends on unrelated local skills through hard-coded user-specific filesystem paths. This breaks portability and, more importantly, trusts mutable files outside the package boundary, allowing local tampering or dependency confusion to alter behavior and execute unintended code.

Vague Triggers

Medium
Confidence
84% confidence
Finding
Overly broad trigger phrases like general requests for market analysis can cause the skill to activate during ordinary conversation without clear user intent. In a skill with network, shell, and secret-access-adjacent capabilities, accidental invocation increases the chance of unintended external calls or exposure of sensitive workflow behavior.

Missing User Warnings

Low
Confidence
85% confidence
Finding
The script reads API credentials from environment variables and immediately uses them in an authenticated network request, but gives users only a minimal docstring notice. In a skill context where code may be executed by others, insufficient disclosure is risky because users may not realize secrets are being consumed and transmitted to a third-party service.

Missing User Warnings

Low
Confidence
92% confidence
Finding
This script generates investment schedules, projections, and scenario analyses that could be interpreted by users as actionable financial guidance, but it does not clearly disclose that the output is informational only and not financial advice. In the context of a crypto-analysis skill that explicitly offers trading signals, position sizing, DCA plans, and risk assessment, the absence of a disclaimer increases the chance that users rely on the output for real financial decisions.

VirusTotal

63/63 vendors flagged this skill as clean.

View on VirusTotal

Static analysis

No suspicious patterns detected.