Back to skill

Security audit

Thetaedge Skill

Security checks across malware telemetry and agentic risk

Overview

This appears to be a real ThetaEdge finance integration, but it needs review because it can access sensitive financial data and includes under-scoped trade-action and setup behaviors.

Install only if you intend to let an agent use your ThetaEdge account and send financial prompts, account IDs, positions, transactions, portfolio context, and strategy details to ThetaEdge. Treat the ThetaEdge key as a sensitive financial credential, keep the config files out of source control and sync tools, and rotate the key if exposed. Require explicit human review before any opportunity "act" or execute-style request. Use the VM setup, SSH agent forwarding, and tunnel helper only in a trusted, short-lived development environment.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
  • Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
  • MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
Findings (13)

Description-Behavior Mismatch

Medium
Confidence
93% confidence
Finding
This script establishes SSH tunnels that expose services between the host and an OpenClaw VM, which is outside the stated finance/trading functionality of the skill. Even if intended for local development, it creates an undocumented connectivity path that can expand the attack surface and enable unintended access to local APIs or dashboards if the VM or host environment is compromised.

Context-Inappropriate Capability

Medium
Confidence
96% confidence
Finding
The script uses both local (-L) and remote (-R) port forwarding, including exposing the host's ThetaEdge API into the VM. Bidirectional forwarding is especially risky because it allows a less-trusted VM context to reach host-local services that may not be hardened for cross-boundary access, potentially enabling data exposure, lateral movement, or abuse of privileged local APIs.

Missing User Warnings

Medium
Confidence
91% confidence
Finding
The README instructs users to place a live API key directly into a persistent settings file, but provides no warning about credential sensitivity, file permissions, backup exposure, or rotation practices. In a finance/trading skill, that key may grant access to brokerage-linked portfolio data or trading intelligence, so poor handling increases the risk of credential leakage through local compromise, screenshots, shared configs, sync tools, or source control mistakes.

Vague Triggers

Medium
Confidence
81% confidence
Finding
The activation language is very broad (`any finance, investing, or trading related tasks` and `any related topic`), which can cause the skill to trigger on common financial conversations and send user queries to an external service unnecessarily. In this context, overbroad invocation increases privacy risk because portfolio, positions, transactions, and account-related prompts may be routed off-platform more often than the user expects.

Missing User Warnings

Medium
Confidence
90% confidence
Finding
The skill instructs the agent to read API keys from environment variables and local config files, then use them in outbound requests, but it does not include a clear user-facing warning or consent step for handling secrets and financial account data. In a finance skill, this matters more because the same workflow can expose sensitive brokerage metadata and account-scoped information to a third-party API without explicit acknowledgment.

Missing User Warnings

Medium
Confidence
95% confidence
Finding
The guide recommends SSH agent forwarding and describes it as a way to avoid copying private keys, but it omits the key security caveat: while the session is active, code running in the VM can use the forwarded agent to authenticate to other systems as the user. In this skill context, the VM is explicitly used to run third-party tools and a finance-related skill, so compromised software or malicious prompts/scripts inside the VM could abuse the forwarded agent to access private repositories or other SSH-trusted resources.

Missing User Warnings

Low
Confidence
90% confidence
Finding
The documentation instructs users to `cat ~/.openclaw/openclaw.json`, which may print ThetaEdge credentials or other secrets directly to the terminal, shell logs, scrollback buffers, recordings, or shared support sessions. In a finance/trading skill, those credentials may grant access to brokerage-linked or market-related data, so even read-only exposure is a meaningful secret-handling weakness.

Missing User Warnings

Medium
Confidence
98% confidence
Finding
The guide tells users to place the API key directly on the shell command line with `echo 'ANTHROPIC_API_KEY=...' > ~/.openclaw/.env`, which can leak the secret through shell history, terminal logging, process auditing, or screen capture. Although the document claims keys are entered securely elsewhere, this update path contradicts that guidance and introduces an avoidable credential-exposure risk.

Missing User Warnings

High
Confidence
93% confidence
Finding
The opportunity action endpoint explicitly allows `action: "act"` to execute a trading opportunity, yet the reference does not warn that this may place or trigger real account actions. In a finance/trading skill, this is especially dangerous because an agent or user could treat the operation as a harmless analysis step and unintentionally cause live financial activity with direct monetary consequences.

Missing User Warnings

Medium
Confidence
90% confidence
Finding
The script masks but still prints part of the API key (`api_key[:6] + '...'`) to stdout. Partial secret disclosure is still sensitive because terminal logs, screenshots, CI output, shell history capture, or support bundles may expose enough information to aid key identification and correlation, especially in a finance-related skill handling brokerage access.

Missing User Warnings

Medium
Confidence
84% confidence
Finding
The code persists API credentials to local configuration files, including agent-specific settings locations, which creates a durable secret-at-rest exposure. Although Unix permissions are restricted to 0600, there is no equivalent hardening shown for Windows and no indication of using an OS credential store, so secrets may be accessible to other local processes, backups, sync tools, or users with filesystem access.

Missing User Warnings

Medium
Confidence
97% confidence
Finding
The script downloads and executes the nvm installer directly from GitHub via `curl | bash` without integrity verification, pinning to a checked hash, or showing the fetched content for review. This creates a supply-chain execution path where a compromised upstream, DNS/TLS interception, or unexpected installer change results in arbitrary code execution on the VM.

Missing User Warnings

Medium
Confidence
99% confidence
Finding
The OpenClaw installer is executed directly from `https://openclaw.ai/install.sh` with `curl -fsSL ... | bash`, which is an unsafe remote code execution pattern. The risk is heightened because the script later proceeds even if the installer fails (`|| true`), making installation state harder to reason about and potentially masking partial compromise or unexpected behavior.

VirusTotal

65/65 vendors flagged this skill as clean.

View on VirusTotal

Static analysis

No suspicious patterns detected.