Security checks across malware telemetry and agentic risk
This appears to be a real AiCoin market-data skill, but it needs review because it broadly handles local credentials and exposes broader analytics than its routing text suggests.
Install only if you are comfortable with this skill reading local .env files and storing an AiCoin API key in plaintext. Use a low-privilege AiCoin market-data key, avoid keeping unrelated exchange or trading credentials in .env files it can read, and treat the Hyperliquid address/trader analytics as broader than ordinary price lookup.
const __dirname = dirname(fileURLToPath(import.meta.url)); // ── .env auto-load (OpenClaw exec may not inject env into child processes) ── const ENV_FILES = [ resolve(process.cwd(), '.env'), resolve(process.env.HOME || '', '.openclaw', 'workspace', '.env'),
// ── .env auto-load (OpenClaw exec may not inject env into child processes) ── const ENV_FILES = [ resolve(process.cwd(), '.env'), resolve(process.env.HOME || '', '.openclaw', 'workspace', '.env'), resolve(process.env.HOME || '', '.openclaw', '.env'), ];
// ── .env auto-load (OpenClaw exec may not inject env into child processes) ──
const ENV_FILES = [
resolve(process.cwd(), '.env'),
resolve(process.env.HOME || '', '.openclaw', 'workspace', '.env'),
resolve(process.env.HOME || '', '.openclaw', '.env'),
];
for (const file of ENV_FILES) {const ENV_FILES = [
resolve(process.cwd(), '.env'),
resolve(process.env.HOME || '', '.openclaw', 'workspace', '.env'),
resolve(process.env.HOME || '', '.openclaw', '.env'),
];
for (const file of ENV_FILES) {
if (!existsSync(file)) continue;if ((v.startsWith('"') && v.endsWith('"')) || (v.startsWith("'") && v.endsWith("'"))) v = v.slice(1, -1);
if (!process.env[k]) process.env[k] = v;
}
} catch { /* ignore unreadable .env */ }
}
const defaults = JSON.parse(readFileSync(resolve(__dirname, 'defaults.json'), 'utf-8'));return hit ? { method: hit.method, spec: hit } : null;
}
// Persist a new key pair to the workspace .env (validates before writing).
export async function saveKey(keyId, secret) {
const headers = authHeaders(keyId, secret);
const res = await fetch(`${BASE}/api/v3/coins/tickers?coin_key=bitcoin`, { headers, signal: AbortSignal.timeout(15000) });VirusTotal findings are pending for this skill version.