ClawHub

Aicoin Account

Security checks across malware telemetry and agentic risk

Overview

This skill needs Review because its account-management/read-only framing understates live trading, leverage, order cancellation, and fund-transfer powers.

Install only if you intend to give an agent exchange-account authority. Use tightly scoped API keys, avoid withdrawal permissions, and avoid enabling order, leverage, margin, or transfer permissions unless you explicitly need them. Install dependencies ahead of time, review any .env files the skill can read or write, and treat transfer/trading requests as actions requiring clear human confirmation.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
  • Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
  • MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
Findings (15)

Description-Behavior Mismatch

Medium
Confidence
97% confidence
Finding
The file explicitly labels the skill as providing 'Safe read-only operations' while also documenting state-changing behaviors such as fund transfers and registration/referral flows. This mismatch can mislead an agent or operator into invoking the skill under the assumption that it cannot modify account state, increasing the chance of unauthorized or unintended actions.

Intent-Code Divergence

Medium
Confidence
98% confidence
Finding
Calling the skill read-only in the same section that advertises a transfer command creates a dangerous trust signal mismatch. In agentic environments, safety labels influence routing and execution decisions, so incorrect documentation can directly contribute to real fund movements being treated as harmless queries.

Context-Inappropriate Capability

Medium
Confidence
93% confidence
Finding
The client automatically reads multiple local .env files and imports any variables it finds into process.env, which expands the skill's access to locally stored secrets beyond what a user would expect from an exchange-account management tool. In this skill context, that is more dangerous because the tool already handles API credentials, so broad secret loading increases the chance of unintended credential use, cross-context secret exposure, or accidental reliance on hidden local state.

Description-Behavior Mismatch

Medium
Confidence
97% confidence
Finding
The saveKey function persists exchange API credentials into a workspace .env file, creating a durable local secret store inside the agent environment. In an account-management skill, this is especially sensitive because the stored keys may later be read by other tools, leaked through workspace access, backups, or logs, and used to access the user's exchange account.

Context-Inappropriate Capability

Medium
Confidence
92% confidence
Finding
The script actively searches multiple local .env locations, including home-directory paths, to discover whether an AiCoin API key is present and reveals the filesystem path plus a key preview. Even though it does not exfiltrate the full secret, this is still credential discovery behavior that expands access beyond the immediate skill scope and leaks sensitive environment structure and partial credential metadata.

Description-Behavior Mismatch

High
Confidence
99% confidence
Finding
The manifest presents this as an account-management skill, but the implementation includes live order placement, cancellation, leverage changes, margin mode changes, and transfers. In an agent context, this scope mismatch is dangerous because users or upstream policy may permit the skill for read-oriented account tasks while the code can perform irreversible trading and fund-moving actions.

Context-Inappropriate Capability

High
Confidence
97% confidence
Finding
The skill executes `npm install --omit=dev` via `execSync` at runtime if `ccxt` is missing. Runtime package installation introduces shell execution and supply-chain risk, allowing unexpected code download and execution in environments where the skill otherwise only needed library imports.

Intent-Code Divergence

Critical
Confidence
99% confidence
Finding
The security notice says keys are only for market data and cannot perform trading or read exchange information, yet the code explicitly loads exchange API credentials and uses them for balances, positions, orders, transfers, leverage, and margin operations. This misleading assurance can cause users to provide powerful credentials under false pretenses, greatly increasing the chance of unauthorized trading or account changes.

Vague Triggers

Medium
Confidence
90% confidence
Finding
The trigger list includes broad phrases like '活动', '最近操作', and '我做过什么', which are common conversational expressions and can match user intent outside exchange-account contexts. Overbroad routing can cause the wrong skill to activate, exposing account history or enabling follow-on sensitive actions in response to unrelated requests.

Missing User Warnings

Medium
Confidence
96% confidence
Finding
The documentation presents a fund transfer command as a normal command example without a clear safety warning, confirmation requirement, or indication that it changes account state. In a financial skill, omission of such guardrails materially increases the risk of accidental asset movement or abuse through prompt-routing mistakes.

Missing User Warnings

Medium
Confidence
95% confidence
Finding
This code writes API credentials to .env without any visible warning, confirmation, or disclosure in the implementation path, so a caller may trigger durable secret storage without understanding that behavior. Silent persistence is dangerous because users may believe they are supplying credentials only for a one-time validation while the skill stores them for future reuse.

Missing User Warnings

Low
Confidence
86% confidence
Finding
The client silently loads environment data from several .env locations, including workspace and home-directory paths, without any user-facing disclosure. While not an exploit by itself, this hidden behavior increases the risk of surprising secret ingestion and makes it harder for users to understand which credentials the skill is actually using.

Credential Access

High
Category
Privilege Escalation
Content
import { resolve } from 'node:path';

const ENV_PATHS = [
  resolve(process.cwd(), '.env'),
  resolve(process.env.HOME || '', '.openclaw', 'workspace', '.env'),
  resolve(process.env.HOME || '', '.openclaw', '.env'),
];
Confidence
95% confidence
Finding
.env'

Credential Access

High
Category
Privilege Escalation
Content
const ENV_PATHS = [
  resolve(process.cwd(), '.env'),
  resolve(process.env.HOME || '', '.openclaw', 'workspace', '.env'),
  resolve(process.env.HOME || '', '.openclaw', '.env'),
];
Confidence
95% confidence
Finding
.env'

Credential Access

High
Category
Privilege Escalation
Content
const ENV_PATHS = [
  resolve(process.cwd(), '.env'),
  resolve(process.env.HOME || '', '.openclaw', 'workspace', '.env'),
  resolve(process.env.HOME || '', '.openclaw', '.env'),
];

function findKey() {
Confidence
95% confidence
Finding
.env'

VirusTotal

VirusTotal findings are pending for this skill version.

View on VirusTotal