Token Scout

Type: OpenClaw Skill Name: token-scout Version: 1.0.0 The skill bundle is classified as suspicious due to multiple shell injection vulnerabilities present in all executable scripts (`find-accumulation.sh`, `small-cap-scanner.sh`, `token-lookup.sh`, `token-scanner.sh`). User-controlled inputs (e.g., `$CHAIN`, `$NETWORK`, `$TOKEN_ADDRESS`) are directly interpolated into `curl` command strings without proper sanitization or quoting, allowing for arbitrary command execution. For example, providing `base; cat /etc/passwd` as a chain name would execute `cat /etc/passwd`. Additionally, `token-lookup.sh` uses `sed` on user input, which could also be vulnerable to injection. While these are critical vulnerabilities, there is no evidence of intentional malicious behavior such as data exfiltration to unauthorized endpoints, persistence mechanisms, or prompt injection attempts in `SKILL.md`.