Back to skill
Skillv3.7.2
ClawScan security
Aicoin Trading · ClawHub's context-aware review of the artifact, metadata, and declared behavior.
Scanner verdict
SuspiciousMar 10, 2026, 4:43 PM
- Verdict
- suspicious
- Confidence
- high
- Model
- gpt-5-mini
- Summary
- The skill claims manual two-step order confirmation and limited environment access, but the shipped scripts read .env files (including agent workspace), auto-install npm packages at runtime, write config into ~/.openclaw/workspace, and include an automated trading flow that auto-confirms orders — these behaviors are inconsistent and warrant caution.
- Guidance
- Do not install/run this skill without review and precautions. Specific concerns: (1) The SKILL.md requires manual confirmation but scripts include an automated trading flow that calls create_order with confirmed:'true' — this contradicts the stated safety rule. (2) The code auto-loads .env files from the current directory and from ~/.openclaw/workspace/.env and ~/.openclaw/.env, which may expose other secrets; keep exchange API keys out of global or shared .env files. (3) At runtime the skill may run npm install (fetching ccxt and running its install scripts) — only allow this in a trusted, isolated environment. (4) The skill writes config to ~/.openclaw/workspace/aicoin-trade-config.json; expect persistent state. Recommended actions before using: inspect scripts (exchange.mjs, auto-trade.mjs, lib/aicoin-api.mjs), remove or disable automated open/auto-trade paths if you require manual confirmation, run in a sandboxed environment, create and use exchange API keys with minimal permissions (no withdraw), avoid placing exchange keys in shared/global .env, and consider forking and pinning dependencies rather than allowing runtime npm installs. If you need help auditing specific files or making the code enforce manual confirmation, ask for a targeted review or suggested patch.
Review Dimensions
- Purpose & Capability
- concernThe skill is presented as a trading CLI that uses AiCoin market data (primaryEnv AICOIN_ACCESS_KEY_ID). But the code clearly expects and uses exchange API keys (e.g., OKX_API_KEY, BINANCE_API_KEY, etc.) read from environment/.env files to perform trades. The registry metadata does not declare these exchange credentials as required, so the declared purpose (market-data helper) and the actual capability (placing real exchange orders using user exchange keys) are mismatched unless the user deliberately supplies those keys.
- Instruction Scope
- concernSKILL.md explicitly mandates a manual two-step confirmation flow and forbids auto-confirmation. However scripts/auto-trade.mjs (open action) and other helpers call create_order with confirmed: 'true' (auto-confirm), contradicting the documented 'no auto-confirm' rule. The code also instructs/assumes running node scripts from the skill dir while the libraries auto-load .env from multiple locations (process.cwd(), ~/.openclaw/workspace/.env, ~/.openclaw/.env), which lets the skill read other local secrets without explicit user consent.
- Install Mechanism
- concernThere is no declared install spec, but scripts/exchange.mjs will attempt to auto-install dependencies at runtime via execSync('npm install --omit=dev', ...). package-lock.json shows ccxt as an optional dependency and ccxt has an install script. Auto-installing npm packages at runtime (and running their install scripts) is higher-risk than an instruction-only skill because it fetches and executes third-party code without prior registry-level install review.
- Credentials
- concernThe metadata only declares AICOIN_ACCESS_KEY_ID as primary, but the code reads/writes many env vars and files: AICOIN_ACCESS_SECRET, per-exchange API keys and secrets (e.g., OKX_API_KEY, OKX_API_SECRET), PROXY_URL/HTTPS_PROXY/HTTP_PROXY, HOME, and it auto-loads .env from process.cwd(), ~/.openclaw/workspace/.env, and ~/.openclaw/.env. It also writes a config file at ~/.openclaw/workspace/aicoin-trade-config.json. The skill therefore accesses and can persist secrets beyond what the metadata communicates.
- Persistence & Privilege
- notealways:false (good) and the skill is user-invocable. However, it writes persistent config into ~/.openclaw/workspace and can auto-install npm packages into the skill directory at runtime. While not 'always' privileged, the skill can modify the agent workspace and install third-party code — consider this a notable persistence/privilege footprint even though it doesn't change other skills' configs or set always:true.