Crypto Executor Optimizer

Security checks across malware telemetry and agentic risk

Overview

This skill is disclosed as a crypto trading optimizer, but it needs review because it can store exchange credentials, download trading code, run on a schedule, modify live bot code, and restart the trading service.

Install only after intentionally accepting autonomous changes to a crypto trading bot. Use paper trading or a small restricted account first, disable withdrawals on Binance keys, audit and pin the downloaded GitHub code, prefer a virtualenv and a secret manager, review sudo/crontab permissions, and disable Telegram notifications unless you are comfortable sending optimization status to Telegram.

SkillSpector

By NVIDIA

Vulnerability Patterns

Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
Rogue AgentSelf-Modification, Session Persistence
MCP Least PrivilegeUnderdeclared Capability, Wildcard Permission, Missing Permission Declaration

Findings (24)

Lp3

Medium

Category: MCP Least Privilege
Confidence: 95% confidence
Finding: The skill declares significant capabilities in prose and metadata—modifying files, invoking shell commands, restarting services, and installing cron—but the static finding indicates these are not represented as formal permissions. This under-declaration weakens policy enforcement and review, because an operator may authorize the skill based on incomplete capability disclosure while it can still alter system state.

Tp4

High

Category: MCP Tool Poisoning
Confidence: 98% confidence
Finding: The published description frames the skill as a periodic optimizer, but the document also describes bootstrap behavior: downloading executable code from GitHub, collecting and storing Binance credentials, installing dependencies, controlling services, and creating persistence via cron. This mismatch is dangerous because it obscures the real attack surface and can trick users into approving a skill with far broader and riskier behavior than advertised.

Context-Inappropriate Capability

Medium

Confidence: 91% confidence
Finding: The script transmits optimization status and the free-form REASON field to Telegram using bot credentials from the environment. Even if intended as operational alerting, this expands the skill's scope from local tuning into external data exfiltration and can leak sensitive strategy context or operator-supplied content without explicit consent.

Context-Inappropriate Capability

Medium

Confidence: 90% confidence
Finding: Sourcing /workspace/data/bot_config.env executes shell syntax from an external file in the current process, not just reads configuration values. If that file is modified or attacker-controlled, arbitrary commands can run during the restart path, and the script gains access to whatever secrets are stored there beyond its stated optimization role.

Description-Behavior Mismatch

Medium

Confidence: 94% confidence
Finding: The script extends a trading-optimizer skill into a persistent scheduled task by installing an OpenClaw cron job and, if unavailable, falling back to system crontab modification. That persistence materially expands the skill's authority and blast radius: once installed, the skill can repeatedly read and modify trading-related files without fresh user approval every run.

Context-Inappropriate Capability

Medium

Confidence: 96% confidence
Finding: The fallback path writes to the user's crontab, which is a host-level persistence mechanism not strictly necessary for a one-time optimizer installer. In this skill context, that means a component intended to tune executor parameters can gain recurring execution on the host, creating a durable foothold and enabling repeated file modifications or misuse if the skill or OpenClaw invocation is later altered.

Description-Behavior Mismatch

High

Confidence: 98% confidence
Finding: The script materially exceeds the stated purpose of an optimizer skill by installing software, collecting exchange credentials, writing secrets to disk, and launching a trading bot. This broadens the trust boundary and gives the skill effective control over trading operations and secrets, which is dangerous in an autonomous agent context where users may expect only parameter tuning.

Context-Inappropriate Capability

High

Confidence: 97% confidence
Finding: The script fetches code directly from GitHub 'main' for both executor and oracle components, creating a supply-chain risk because mutable remote content can change at any time. It then relies on those fetched components in the same setup flow, meaning unreviewed code can quickly become executable in a trading environment with access to secrets and funds.

Context-Inappropriate Capability

Medium

Confidence: 96% confidence
Finding: The script interactively collects Binance and Telegram secrets and persists them to a local config file, which is unrelated to the narrow optimizer role and expands the skill into secret handling. In an agent skill, unnecessary secret collection increases the blast radius of compromise and can mislead users into disclosing credentials to a component that should not need them.

Context-Inappropriate Capability

Medium

Confidence: 93% confidence
Finding: The script stops existing processes, interacts with system services, and launches a long-running bot process, going beyond a minimal validate-and-restart action for a known target. This increases operational risk because a broadly scoped skill can disrupt other workloads or establish persistence under the guise of optimization.

Missing User Warnings

Medium

Confidence: 92% confidence
Finding: The README explicitly describes an unattended workflow that reads metrics, modifies executor.py, validates it, and restarts a system service on a 6-hour cron. Even if backups and syntax checks exist, the documentation does not prominently warn users that local code and running system state will be changed automatically, which can lead to unsafe autonomous reconfiguration, service disruption, or propagation of bad parameter decisions in a live trading environment.

Missing User Warnings

Medium

Confidence: 88% confidence
Finding: The script performs privileged service restart actions and process management automatically, including sudo systemctl restart and a pkill/nohup fallback, with no user confirmation or approval gate. In an autonomous optimizer context, this increases blast radius because a bad optimization decision immediately changes a running trading service.

Missing User Warnings

Medium

Confidence: 89% confidence
Finding: The Telegram network transmission occurs silently and is not obviously necessary to the core task of editing executor parameters. Undisclosed outbound messaging is risky because it can leak operational state and establishes an external communications channel from an otherwise local maintenance script.

Missing User Warnings

Medium

Confidence: 90% confidence
Finding: On success, the script sends optimization details externally without an explicit user-facing warning or consent step. In this skill, the message includes REASON and restart status, which may reveal trading strategy adjustments or internal operations to external systems.

Missing User Warnings

Medium

Confidence: 99% confidence
Finding: The API secret is read with visible terminal input and the user is not clearly warned beforehand that the value will be written to disk. This can expose secrets through shoulder surfing, terminal recording, command session capture, or user misunderstanding about persistence.

Missing User Warnings

Medium

Confidence: 97% confidence
Finding: The script automatically downloads external code and proceeds toward execution without an explicit confirmation checkpoint after retrieval. In this context, that means users may end up running newly fetched, unaudited trading code with account credentials and process control privileges without a deliberate trust decision.

External Transmission

Medium

Category: Data Exfiltration
Content: endpoints_allowed: - "https://raw.githubusercontent.com/georges91560/crypto-executor/main/executor.py" - "https://raw.githubusercontent.com/georges91560/crypto-sniper-oracle/main/crypto_oracle.py" - "https://api.telegram.org/bot*" requires_credentials: false uses_websocket: false security_level: "L2 - System Modification (modifies executor.py + restarts service)"
Confidence: 86% confidence
Finding: https://api.telegram.org/

Sudo/Root Execution

Medium

Category: Privilege Escalation
Content: backup, validates Python syntax, and rolls back automatically on error. privilege_requirements: uses_sudo: true reason: "sudo systemctl restart crypto-executor — required to restart the trading bot service" uses_crontab: true cron_schedule: "0 */6 * * *" cron_purpose: "Trigger Wesley optimization cycle every 6 hours"
Confidence: 96% confidence
Finding: sudo

Sudo/Root Execution

Medium

Category: Privilege Escalation
Content: | Action | Pourquoi | |---|---| | `sudo systemctl restart crypto-executor` | Redémarrer le bot après optimisation | | `sudo systemctl stop/start crypto-executor` | Contrôle du service au setup | | `pkill -f executor.py` | Fallback si systemd indisponible | | `crontab -e` | Installer le job récurrent (fallback system cron) |
Confidence: 96% confidence
Finding: sudo

Sudo/Root Execution

Medium

Category: Privilege Escalation
Content: | Action | Pourquoi | |---|---| | `sudo systemctl restart crypto-executor` | Redémarrer le bot après optimisation | | `sudo systemctl stop/start crypto-executor` | Contrôle du service au setup | | `pkill -f executor.py` | Fallback si systemd indisponible | | `crontab -e` | Installer le job récurrent (fallback system cron) |
Confidence: 95% confidence
Finding: sudo

Credential Access

High

Category: Privilege Escalation
Content: - systemctl env: [] setup_env: - BINANCE_API_KEY # collected interactively at setup, persisted to /workspace/data/bot_config.env (chmod 600) - BINANCE_API_SECRET # collected interactively at setup, persisted to /workspace/data/bot_config.env (chmod 600) optional_env: - TELEGRAM_BOT_TOKEN
Confidence: 97% confidence
Finding: .env

Credential Access

High

Category: Privilege Escalation
Content: env: [] setup_env: - BINANCE_API_KEY # collected interactively at setup, persisted to /workspace/data/bot_config.env (chmod 600) - BINANCE_API_SECRET # collected interactively at setup, persisted to /workspace/data/bot_config.env (chmod 600) optional_env: - TELEGRAM_BOT_TOKEN - TELEGRAM_CHAT_ID
Confidence: 97% confidence
Finding: .env

Credential Access

High

Category: Privilege Escalation
Content: install_notes: > setup_binance_20euros.sh performs the following actions on first run: (1) prompts for BINANCE_API_KEY and BINANCE_API_SECRET and persists them to /workspace/data/bot_config.env (chmod 600, user-owned); (2) downloads executor.py from raw.githubusercontent.com/georges91560/crypto-executor and optionally crypto_oracle.py from raw.githubusercontent.com/georges91560/crypto-sniper-oracle — audit both files before running;
Confidence: 96% confidence
Finding: .env

Session Persistence

Medium

Category: Rogue Agent
Content: | `sudo systemctl restart crypto-executor` | Redémarrer le bot après optimisation | | `sudo systemctl stop/start crypto-executor` | Contrôle du service au setup | | `pkill -f executor.py` | Fallback si systemd indisponible | | `crontab -e` | Installer le job récurrent (fallback system cron) | ---
Confidence: 91% confidence
Finding: crontab -e

VirusTotal

64/64 vendors flagged this skill as clean.

View on VirusTotal