ClawHub

Aicoin Freqtrade

Security checks across malware telemetry and agentic risk

Overview

This skill is a disclosed Freqtrade crypto-bot controller, but it gives an agent broad live-trading, secret-handling, software-installation, and persistent process authority that needs review before use.

Install only if you intentionally want an agent to manage a Freqtrade crypto trading bot. Keep dry_run enabled unless you are ready for real trades, manually confirm every live-mode, force-enter, force-exit, cancel, or delete action, and avoid running it in environments with unrelated secrets. Review host-mode deploy first because it can install software, write plaintext credentials, and start a persistent trading daemon.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
  • Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
  • MCP Least PrivilegeUnderdeclared Capability, Wildcard Permission, Missing Permission Declaration
Findings (16)

Lp3

Medium
Category
MCP Least Privilege
Confidence
87% confidence
Finding
The skill document describes capabilities to read environment variables, read local files, and access networked APIs, but the manifest does not declare corresponding permissions or constraints. This creates an authorization gap: a reviewer or execution framework may underestimate what the skill can access, including local secrets and external services, which is especially risky in a trading/daemon-management context.

Tp4

High
Category
MCP Tool Poisoning
Confidence
91% confidence
Finding
The declared purpose focuses on Freqtrade workflow management, but the skill also documents authenticated AiCoin API access, credential loading from .env, reusable data-SDK behavior, and additional market/whale/liquidation data collection. That mismatch is dangerous because it hides materially broader data access and external communications than a user or platform might expect, increasing the chance of secret exposure, overbroad invocation, or unreviewed trading logic dependencies.

Context-Inappropriate Capability

Medium
Confidence
99% confidence
Finding
The file contains a hardcoded third-party AiCoin API credential, which is a real secret exposure even if described as a 'public free-tier' key. Bundling credentials in distributed skill code enables unauthorized reuse, complicates revocation, and creates a dependency outside the skill's stated Freqtrade-management purpose, increasing the attack surface and risk of quota exhaustion or account abuse.

Context-Inappropriate Capability

Medium
Confidence
95% confidence
Finding
In host mode, the script installs tooling from the network, including piping a remote installer script into sh and then installing Python. That materially expands the skill from managing an existing Freqtrade bot to performing software installation and arbitrary system modification, which is dangerous in an agent context because a simple deploy request can trigger unexpected code execution on the host.

Context-Inappropriate Capability

Medium
Confidence
94% confidence
Finding
The host-mode deploy path clones Freqtrade from GitHub and runs setup.sh, giving the skill a software acquisition and installation capability beyond its stated management role. In an agent setting, this means a routine trading action can unexpectedly fetch and execute third-party code, increasing supply-chain and unauthorized system change risk.

Vague Triggers

Medium
Confidence
84% confidence
Finding
The trigger phrases are very broad and include common conversational requests like checking P&L, positions, or 'switch to live', which can cause the skill to activate in ordinary discussion without clear scoping. In a trading-control skill, accidental invocation is more dangerous because it may lead to sensitive account reads or progression toward live-trading state changes.

Missing User Warnings

Medium
Confidence
92% confidence
Finding
This code writes sensitive operational secrets, including exchange credentials embedded in config and a generated API password persisted into .env, without an explicit warning or confirmation at the point of write. Persisting secrets silently increases the chance of accidental exposure through backups, logs, later tooling, or unintended file sharing.

Missing User Warnings

Medium
Confidence
94% confidence
Finding
The script executes remote installation commands and then proceeds toward launching a background trading service without requiring an explicit user acknowledgment in that execution path. In a high-risk domain like trading, silent installation and service startup can create both host compromise exposure and unintended persistent trading activity.

Missing User Warnings

Low
Confidence
76% confidence
Finding
The strategy pulls external AiCoin data during live/dry-run trading without explicit disclosure or consent controls in the code path. In a trading skill context, this can expose pair/exchange usage patterns and create unnoticed outbound dependencies, which is a privacy and operational-risk issue even if it is not a classic code-execution flaw.

Credential Access

High
Category
Privilege Escalation
Content
**违反规则的反例**:
- ❌ 用户说"平掉", 你直接调 `force_exit` 平了真持仓 (K-Live-3 dogfood 抓到的真 bug)
- ❌ 用户说"切实盘", 你不列 .env key / 余额 / 风险就直接 `set_dry_run {"dry_run":false}`
- ✅ 用户说"平掉", 你列"持仓: BNB/USDT 0.05 +$1.07, 平这单吗? dry_run=true 模拟盘", 等用户确认

**写策略 + 切策略 倾向分两轮**(create_strategy 一轮, set_strategy 一轮). 不是技术限制,是 UX 选择:
Confidence
78% confidence
Finding
.env

Credential Access

High
Category
Privilege Escalation
Content
@staticmethod
    def _load_env():
        for f in (Path.cwd() / '.env',
                  Path.home() / '.openclaw' / 'workspace' / '.env',
                  Path.home() / '.openclaw' / '.env'):
            if not f.exists():
Confidence
82% confidence
Finding
.env'

Credential Access

High
Category
Privilege Escalation
Content
@staticmethod
    def _load_env():
        for f in (Path.cwd() / '.env',
                  Path.home() / '.openclaw' / 'workspace' / '.env',
                  Path.home() / '.openclaw' / '.env'):
            if not f.exists():
                continue
Confidence
82% confidence
Finding
.env'

Credential Access

High
Category
Privilege Escalation
Content
def _load_env():
        for f in (Path.cwd() / '.env',
                  Path.home() / '.openclaw' / 'workspace' / '.env',
                  Path.home() / '.openclaw' / '.env'):
            if not f.exists():
                continue
            try:
Confidence
84% confidence
Finding
.env'

Credential Access

High
Category
Privilege Escalation
Content
import { readFileSync, existsSync } from 'node:fs';
import { coinclawEnv, readFtApiPass, envFileCandidates } from './coinclaw-env.mjs';

// Auto-load .env files (CoinClaw 容器优先 /workspace/.env 或 OpenClaw 的等价路径).
function loadEnv() {
  for (const file of envFileCandidates()) {
    if (!existsSync(file)) continue;
Confidence
78% confidence
Finding
.env

Credential Access

High
Category
Privilege Escalation
Content
import { readFileSync, existsSync } from 'node:fs';
import { coinclawEnv, readFtApiPass, envFileCandidates } from './coinclaw-env.mjs';

// Auto-load .env files (CoinClaw 容器优先 /workspace/.env 或 OpenClaw 的等价路径).
function loadEnv() {
  for (const file of envFileCandidates()) {
    if (!existsSync(file)) continue;
Confidence
78% confidence
Finding
.env

Credential Access

High
Category
Privilege Escalation
Content
//     FREQTRADE_USERNAME/PASSWORD. 后者可能是早期 ft-deploy.mjs deploy
//     流程 appendEnv 写的过时值, daemon 重启后密码会变, .env 没跟新 →
//     401. 端到端测试在 OpenClaw pod 重现过这个 bug.
//   - host 模式 (env=null): 信用户的 .env 配置, 因为本地 freqtrade 不是
//     supervisord 管的, 没有 .ft_api_pass 文件这个权威来源.
let BASE, USER, PASS;
if (env) {
Confidence
73% confidence
Finding
.env

VirusTotal

VirusTotal findings are pending for this skill version.

View on VirusTotal