Skillv3.5.3

ClawScan security

Aicoin Freqtrade · ClawHub's context-aware review of the artifact, metadata, and declared behavior.

Scanner verdict

ReviewMar 10, 2026, 7:20 PM

Verdict: Review
Confidence: medium
Model: gpt-5-mini
Summary: The skill largely matches its stated goal (Freqtrade + AiCoin integration) but its runtime instructions and code do several surprising, high-impact actions (broad .env access, auto-install via curl|sh, writing to workspace .env, enforcing use of its deploy script) that are disproportionate and warrant caution.
Guidance: What to consider before installing or running this skill: - It will ask you to run its Node scripts (ft-deploy.mjs) which auto-read .env files from your workspace and home (.openclaw) — those files often contain API keys for other tools; review them first. - The deploy script can run arbitrary shell commands (execSync) and will try to install Python via an external installer (curl | sh to https://astral.sh), which is risky. Do not run it on a machine with sensitive data you can't isolate. - The code can write/update ~/.openclaw/workspace/.env and create ~/.freqtrade and start background services. Back up any .env/config files and secrets first. - Confirm you are comfortable with the bundled defaults.json public keys (they exist in the repo) and inspect scripts for any external endpoints beyond AiCoin (they call open.aicoin.com and may call the astral installer). - If you want to use only strategy code, consider extracting the Python strategy files and the Python SDK (aicoin_data.py) and running them in a controlled environment (VM or disposable container) rather than using ft-deploy.mjs. - If you proceed: review the scripts line-by-line, run in an isolated VM or container, revoke and rotate any exchange API keys used for testing, and avoid running remote installer commands (replace them with manually vetted installers).

Review Dimensions

Purpose & Capability: concernName/description claim Freqtrade strategy/backtest/deploy with AiCoin data — the code and scripts implement that. However there are mismatches: registry shows no required env vars but metadata declares primaryEnv=AICOIN_ACCESS_KEY_ID (inconsistent). The skill requires only 'node' yet its deploy script locates/installs Python 3.11+ and manages a Python-based Freqtrade install — so the declared binary requirement is incomplete. The scripts also read many unrelated env vars (exchange API keys, proxy settings, FREQTRADE_*), which is partly expected for deployment but broader than the simple metadata suggests.
Instruction Scope: concernSKILL.md strongly instructs the agent and user to always run the provided scripts (ft-deploy.mjs/ft.mjs) and to never run manual freqtrade or Docker commands — this coerces use of the bundle's code. The scripts auto-load .env files from multiple locations (~/.openclaw/workspace/.env, workspace .env, HOME .openclaw/.env) and will read exchange API keys and other secrets. The code expects to automatically insert config and credentials into Freqtrade config and the workspace .env (appendEnv), giving the skill broad discretion over local secrets and config files.
Install Mechanism: concernThere is no formal install spec in the registry (instruction-only), but the runtime deploy script will perform system modifications: it uses execSync to run shell commands, can auto-install Python (including running `curl -LsSf https://astral.sh/uv/install.sh | sh`), and may call brew. Executing remote installer scripts (curl | sh) is high-risk because arbitrary code from external URLs may be run at deploy time.
Credentials: concernThe skill declares AICOIN_ACCESS_KEY_ID as primaryEnv (AiCoin API key is reasonable), but the code reads many other environment variables (exchange API keys like BINANCE_API_KEY/BINANCE_API_SECRET, FREQTRADE_URL, FREQTRADE_USERNAME/PASSWORD, HTTP(S)_PROXY, etc.) — and it auto-loads .env files from multiple paths. It also includes a defaults.json with a public key/secret pair baked in. The combination of reading arbitrary .env locations and writing back to ~/.openclaw/workspace/.env (appendEnv) means the skill can access and persist unrelated credentials stored there, which is more access than the high-level description documents.
Persistence & Privilege: concernalways is false (good), but the deploy script creates ~/.freqtrade, writes config files, may start background processes, and writes/updates the OpenClaw workspace .env. That modifies user state and can persist credentials and service configuration. While expected for a deployment helper, it is high-privilege behavior and could affect other workflows or expose other secrets in workspace .env.