Skillv1.1.4

ClawScan security

Aicoin Account · ClawHub's context-aware review of the artifact, metadata, and declared behavior.

Scanner verdict

SuspiciousMar 10, 2026, 4:43 PM

Verdict: suspicious
Confidence: high
Model: gpt-5-mini
Summary: The skill claims to be safe/read-only but includes code to perform transfers and create orders, auto-installs ccxt, and loads .env files from multiple locations — a capability/privilege mismatch that warrants caution.
Guidance: This skill is not purely read-only despite its description: the code includes functions to create orders and transfer funds and will attempt to auto-install ccxt. Before installing, consider: (1) Only provide minimal-permission exchange API keys (ideally read-only / query-only keys) — do not give full trading/withdraw permissions unless you intend to allow trading. (2) The skill auto-loads .env files from the current directory and ~/.openclaw paths — avoid putting unrelated secrets in those files, and review their contents first. (3) The skill auto-installs npm packages (ccxt) the first time it runs; review package.json and lockfile if you want to vet dependencies. (4) There are affiliate/referral jump.do links (redirectors) in registration flows — these are not code-exfiltration but are external redirects you may not want exposed. (5) If you plan to use this skill only for viewing balances, consider creating and supplying API keys restricted to read-only access and test in an isolated environment. Finally, if you are unsure, review the create_order/transfer functions in scripts/exchange.mjs (truncated in manifest) or run the scripts in a sandbox before giving any real credentials.

Review Dimensions

Purpose & Capability: concernThe SKILL.md and description emphasize 'read-only' exchange queries, balances and registration, but the code (scripts/exchange.mjs) implements create_order, transfer and other write-capable operations (truncated but clearly present). The skill also expects exchange API keys (BINANCE_API_KEY, OKX_API_KEY, etc.) to perform authenticated actions — which is coherent for a full account-management skill but contradicts the 'Safe read-only operations' claim in the README. PrimaryEnv AICOIN_ACCESS_KEY_ID matches the included AiCoin API client usage.
Instruction Scope: concernRuntime code auto-loads .env files from multiple locations (cwd → ~/.openclaw/workspace/.env → ~/.openclaw/.env) and reveals env-file paths in outputs (api-key-info). The SKILL.md does document that .env autoloading, but the scripts will read any variables present in those files and use them (including exchange and proxy vars). The instructions require running node scripts from the skill directory and allow child-process execution (execSync) to install dependencies. The combination of reading arbitrary .env files and supporting write operations is scope creep compared to a purely read-only description.
Install Mechanism: noteThere is no formal install spec, but scripts/exchange.mjs attempts to auto-install npm dependencies (execSync('npm install --omit=dev') in the skill dir) if ccxt is missing. That will write to disk and fetch packages from the npm registry. The package.json only lists ccxt as an optionalDependency, which is standard, but the auto-install behavior is network-active and persistent on disk.
Credentials: noteRequesting AiCoin API credentials (AICOIN_ACCESS_KEY_ID/SECRET) and exchange API keys is consistent with an exchange-account management skill. However, the skill will load any keys found in multiple .env locations (not limited to declared variables), which can surface unrelated secrets. A public default AiCoin key/secret are embedded in lib/defaults.json (so the skill can call AiCoin endpoints without user keys), which is benign but notable.
Persistence & Privilege: notealways:false and no modifications to other skills or global agent config are present (good). However, the skill can auto-install npm packages and runs child processes. It is user-invocable and (like other skills) can be invoked autonomously; combined with its ability to perform transfers/orders, this increases the blast radius compared to a read-only skill.