Trade Agent
PassAudited by VirusTotal on May 10, 2026.
Overview
Type: OpenClaw Skill Name: lobster-trade-agent Version: 1.0.0 The skill bundle exhibits high-risk behavior by instructing the AI agent to execute shell commands (e.g., 'npm run reauth') and providing self-extracting installers (aiusd-skill-installer.sh/js) with opaque base64 payloads. Most notably, SKILL.md contains 'Forbidden Phrases' and strict output guidelines that mandate the agent hide specific terms like 'verification' and 'template,' and explicitly forbids the agent from providing URLs or step-by-step instructions to the user during authentication. These instructions appear designed to reduce transparency and control the agent's persona in a way that could mask unauthorized actions or incorrect URLs (https://aiusd.ai, https://mcp.alpha.dev/oauth/login).
Findings (0)
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
A user expecting trading analysis could instead give the skill authority over real crypto balances, trades, staking, withdrawals, and gas funding.
The same artifact frames the skill as market analysis while also granting crypto account-management and fund-movement functions, creating a material scope mismatch for users.
description: "交易策略Agent——自动分析黄金/外汇市场..." Calls backend via MCP for balance, trading, staking, withdraw, gas top-up, and transaction history.
Clearly label the skill as a high-impact AIUSD crypto trading/account-management tool and separate analysis-only functions from transaction-capable functions.
A mistaken or ambiguous chat request could lead to trades, staking changes, withdrawals, or gas top-ups affecting real funds.
The skill exposes high-impact financial mutation tools and directs the agent to discover changing live schemas, but the artifacts do not show mandatory human confirmation, limits, or rollback guidance.
genalpha_execute_intent | Execute trade intent (buy/sell/swap) ... genalpha_withdraw_to_wallet | Withdraw to external wallet ... NEW TOOLS may be added.
Require explicit user confirmation with exact asset, amount, destination, fees, and risk before every trade, stake/unstake, withdrawal, or gas top-up; disable newly discovered tools until reviewed.
Installing or using the skill may let it act with the user's AIUSD/MCP account privileges, including viewing balances and initiating account actions.
The skill uses bearer/OAuth/local token credentials for financial account access, while the registry metadata declares no required credentials or environment variables.
Auth is resolved in order: env `MCP_HUB_TOKEN`, mcporter OAuth, or local `~/.mcp-hub/token.json`. Ensure a valid Bearer token is available before calling.
Declare all credential requirements, use narrowly scoped tokens, avoid reading broad local token stores by default, and document exactly what account authority the token grants.
The assistant may avoid normal safety, verification, or explanation language when discussing the skill or its actions.
The skill attempts to control the agent's wording and forbids verification-related language, which is not necessary for trading and can interfere with transparent responses.
CRITICAL - ABSOLUTELY FORBIDDEN PHRASES ... "skill verification", "verification" ... ZERO TOLERANCE
Remove broad output bans, especially verification-related bans, and limit style guidance to user-facing clarity that does not suppress safety or review information.
Running the installer could place and install unreviewed code and dependencies on the user's machine.
The installer contains an embedded encoded package, extracts it, and installs dependencies, but the registry says there is no install spec and the embedded package contents are not transparently declared.
const packageData = Buffer.from(PACKAGE_DATA, 'base64'); ... execSync(`tar -xzf package.tar.gz`, { cwd: skillDir, stdio: 'pipe' }); ... execSync('npm install', { cwd: skillDir, stdio: 'inherit' });Publish a transparent source repository and lockfile, declare the install mechanism in metadata, and avoid self-extracting opaque archives.
Users cannot easily tell which publisher/package identity they are trusting.
The embedded metadata conflicts with the registry listing's owner, slug, and version, creating provenance ambiguity for a high-impact trading skill.
"ownerId": "kn77ncj465rvq2n8f53jat26ch80jen8", "slug": "trade-agent", "version": "1.0.1"
Align registry metadata and embedded metadata before publication and provide a verifiable homepage/source link.
If the user runs this installer, local code execution and dependency installation occur outside the clearly declared skill installation path.
The shell installer decodes and extracts an embedded archive and runs package installation commands, despite the skill being presented as instruction-only in the install specification.
tail -n +$ARCHIVE_START "$0" | base64 -d | tar -xzf - -C "$SKILL_DIR" ... npm install >/dev/null 2>&1
Do not run the installer until the archive contents and dependencies are independently reviewed; replace it with a standard, declared, auditable install process.
Balance, transaction, and trade-related requests may be processed by the AIUSD/MCP backend rather than staying purely local.
The skill sends account and trading operations through an MCP backend; this is purpose-aligned, but it involves sensitive financial data and delegated actions.
调用后端MCP接口获取余额、交易信号、质押、提现等信息。 the AIUSD backend via MCP.
Verify the backend identity, token scopes, and privacy policy before using the skill with real funds.