Aicoin Hyperliquid

Security checks across malware telemetry and agentic risk

Overview

This looks like a real AiCoin analytics skill, but it has broader API reach and local credential handling than a Hyperliquid-only skill should have.

Install only if you are comfortable with a local Node tool that can call broad AiCoin API endpoints, read OpenClaw/workspace .env files, and save AiCoin credentials to plaintext .env. Prefer a limited AiCoin key, avoid shared workspaces, and restrict or review the dispatcher before use in sensitive environments.

SkillSpector

By NVIDIA

Vulnerability Patterns

Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands

Findings (19)

Description-Behavior Mismatch

Medium

Confidence: 97% confidence
Finding: The client exposes a saveKey function that validates credentials and then writes them into a local .env file, expanding a read-only analytics skill into one that persists secrets on disk. For an analytics integration, silent credential storage increases the blast radius of any workspace compromise and creates an unnecessary secret-management surface.

Context-Inappropriate Capability

Medium

Confidence: 93% confidence
Finding: The code automatically scans multiple local .env locations and imports any discovered variables into process.env, giving the skill ambient access to workspace and home-directory secrets beyond what is needed for simple analytics requests. In this skill context, broad credential-file access is unjustified and risks accidental misuse or cross-skill secret exposure.

Description-Behavior Mismatch

High

Confidence: 98% confidence
Finding: The skill is described as a Hyperliquid-specific analytics capability, but the endpoint catalog exposes a much broader authenticated API surface spanning airdrops, news/social, equities, generic market data, signals, treasuries, and more. That scope mismatch increases the chance an agent can be induced to access unrelated sensitive or privileged data and violates least-privilege expectations for a narrowly branded skill.

Context-Inappropriate Capability

Medium

Confidence: 95% confidence
Finding: Airdrop and discovery endpoints are unrelated to Hyperliquid whale/perpetual analytics and broaden the authenticated reach of the skill beyond user expectations. In an agent setting, unnecessary capabilities materially increase prompt-injection and confused-deputy risk because a user can steer the skill into unrelated data retrieval paths.

Context-Inappropriate Capability

Medium

Confidence: 95% confidence
Finding: News, article, and social-media retrieval are outside the stated purpose of Hyperliquid on-chain/perp analytics, yet they are available through the same authenticated skill surface. This creates avoidable data-access and instruction-channel expansion, making the skill more susceptible to abuse through unrelated content fetching and downstream prompt contamination.

Context-Inappropriate Capability

High

Confidence: 97% confidence
Finding: The manifest contains extensive non-Hyperliquid market/reference-data functionality far beyond the advertised Hyperliquid analytics role. Because the endpoints are authenticated, this overbroad scope turns the skill into a general privileged API broker, increasing the blast radius of misuse, prompt injection, and unauthorized cross-domain data access.

Description-Behavior Mismatch

High

Confidence: 97% confidence
Finding: The script is explicitly designed as a generic front-end for any AiCoin v3 endpoint, while the skill metadata claims a much narrower Hyperliquid/on-chain analytics purpose. This scope mismatch materially increases attack surface and enables data access patterns outside the user's expected consent boundary, including unrelated endpoint families the skill was not supposed to expose.

Description-Behavior Mismatch

Medium

Confidence: 93% confidence
Finding: The catalog feature enumerates the full live API surface, which undermines the declared narrow skill purpose and gives users or downstream agents a discovery mechanism for unrelated capabilities. In an agent setting, this makes it easier to pivot from a read-only Hyperliquid analytics use case into broader, unintended API usage.

Description-Behavior Mismatch

Medium

Confidence: 90% confidence
Finding: The key-status probe calls multiple endpoint families unrelated to Hyperliquid analytics, revealing and validating broader account entitlements than the skill needs. This is dangerous because it normalizes overbroad capability testing and can expose accessible services that users did not intend this skill to inspect.

Context-Inappropriate Capability

Medium

Confidence: 92% confidence
Finding: A read-oriented analytics skill includes functionality to persist API credentials locally, which is a sensitive capability not justified by the manifest. Credential handling increases security risk because secrets may be stored on disk, reused by other tools, or mishandled in environments where users expected ephemeral access only.

Missing User Warnings

Medium

Confidence: 96% confidence
Finding: The saveKey routine stores access credentials into a .env file without any visible warning, consent flow, or clear disclosure to the user that plaintext secrets will be persisted. That makes secret handling non-transparent and can leave long-lived API keys in locations that may be readable by other tools, processes, or future sessions.

Natural-Language Policy Violations

Low

Confidence: 98% confidence
Finding: The file embeds a real-looking default API credential directly in the skill package and frames it as a public free-tier key. Even if intended for shared use, hardcoding credentials in distributed code encourages unauthorized reuse, makes rotation difficult, and can expose the provider account to abuse, quota exhaustion, or revocation that affects all users of the skill.

Missing User Warnings

Medium

Confidence: 95% confidence
Finding: The command advertises saving API credentials to .env but does not warn users that secrets will be written to local plaintext configuration. This can lead to accidental credential exposure through source control, backups, shared directories, or other local processes reading environment files.

Credential Access

High

Category: Privilege Escalation
Content: const __dirname = dirname(fileURLToPath(import.meta.url)); // ── .env auto-load (OpenClaw exec may not inject env into child processes) ── const ENV_FILES = [ resolve(process.cwd(), '.env'), resolve(process.env.HOME || '', '.openclaw', 'workspace', '.env'),
Confidence: 95% confidence
Finding: .env

Credential Access

High

Category: Privilege Escalation
Content: // ── .env auto-load (OpenClaw exec may not inject env into child processes) ── const ENV_FILES = [ resolve(process.cwd(), '.env'), resolve(process.env.HOME || '', '.openclaw', 'workspace', '.env'), resolve(process.env.HOME || '', '.openclaw', '.env'), ];
Confidence: 91% confidence
Finding: .env'

Credential Access

High

Category: Privilege Escalation
Content: // ── .env auto-load (OpenClaw exec may not inject env into child processes) ── const ENV_FILES = [ resolve(process.cwd(), '.env'), resolve(process.env.HOME || '', '.openclaw', 'workspace', '.env'), resolve(process.env.HOME || '', '.openclaw', '.env'), ]; for (const file of ENV_FILES) {
Confidence: 91% confidence
Finding: .env'

Credential Access

High

Category: Privilege Escalation
Content: const ENV_FILES = [ resolve(process.cwd(), '.env'), resolve(process.env.HOME || '', '.openclaw', 'workspace', '.env'), resolve(process.env.HOME || '', '.openclaw', '.env'), ]; for (const file of ENV_FILES) { if (!existsSync(file)) continue;
Confidence: 90% confidence
Finding: .env'

Credential Access

High

Category: Privilege Escalation
Content: if ((v.startsWith('"') && v.endsWith('"')) || (v.startsWith("'") && v.endsWith("'"))) v = v.slice(1, -1); if (!process.env[k]) process.env[k] = v; } } catch { /* ignore unreadable .env */ } } const defaults = JSON.parse(readFileSync(resolve(__dirname, 'defaults.json'), 'utf-8'));
Confidence: 89% confidence
Finding: .env

Credential Access

High

Category: Privilege Escalation
Content: return hit ? { method: hit.method, spec: hit } : null; } // Persist a new key pair to the workspace .env (validates before writing). export async function saveKey(keyId, secret) { const headers = authHeaders(keyId, secret); const res = await fetch(`${BASE}/api/v3/coins/tickers?coin_key=bitcoin`, { headers, signal: AbortSignal.timeout(15000) });
Confidence: 97% confidence
Finding: .env

VirusTotal

VirusTotal findings are pending for this skill version.

View on VirusTotal