Back to skill

Security audit

Id Emas Pro

Security checks across malware telemetry and agentic risk

Overview

The skill appears to do legitimate gold-price, alert, portfolio, and AI-analysis work, but its setup guide asks for broader agent permissions and scheduled messaging authority than the skill clearly needs.

Install only if you are comfortable reviewing the OpenClaw configuration first. Prefer granting the minimum needed permission to run this skill's Node scripts, avoid broad group:fs or coding-profile access unless you need it, protect KIMI_API_KEY as a secret, and enable cron/Telegram announcements only for private channels you control.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
  • Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
Findings (7)

Context-Inappropriate Capability

Medium
Confidence
88% confidence
Finding
The guide tells operators to allow both `exec` and broad filesystem access for a skill whose stated purpose is checking gold prices, alerts, and AI analysis. That unnecessarily expands the skill's capability to run arbitrary commands and access local files, increasing the blast radius if the skill, prompt, or surrounding agent workflow is abused.

Missing User Warnings

Medium
Confidence
83% confidence
Finding
The guide instructs users to place and export `KIMI_API_KEY` but gives no warning that the value is a sensitive credential or that it should be kept out of logs, screenshots, commits, and chat transcripts. In operator guides for agent skills, missing secret-handling guidance materially raises the chance of accidental credential disclosure.

Missing User Warnings

Medium
Confidence
80% confidence
Finding
The cron examples enable `--announce --channel telegram` for automated runs without warning that alert payloads, user identifiers, portfolio-related data, or pricing context may be sent to an external messaging channel. This can leak operational or user data outside the local environment, especially if notifications are broad or misrouted.

Vague Triggers

Medium
Confidence
86% confidence
Finding
The trigger phrases for price checks include very broad natural-language terms like 'harga emas' and 'berapa harga emas,' which can match ordinary conversation rather than deliberate tool invocation. In an agent setting, overly permissive triggers can cause unintended execution of external scripts and network requests, turning casual text into an action without clear user intent.

Vague Triggers

Medium
Confidence
84% confidence
Finding
The alert-setting examples are ambiguous enough that routine conversation about wanting price notifications could be interpreted as a command to create persistent alerts. Because alert creation stores state tied to a userId and may lead to later notifications, accidental activation has longer-lived consequences than a one-off query.

Vague Triggers

Medium
Confidence
93% confidence
Finding
Using a generic system message like 'alert check' as the trigger for a cron handler is risky because the phrase could appear in normal conversation, logs, relayed content, or other automated messages. If mis-triggered, it can launch a bulk alert-check operation over all users and process notification directives, expanding the blast radius beyond a single requester.

Vague Triggers

Medium
Confidence
91% confidence
Finding
The morning brief handler accepts highly generic trigger text including 'morning brief' or even 'price --brand antam,' which overlaps with normal text and operational command fragments. This can cause unintended mass messaging to subscribed users, making the context especially dangerous because a single accidental activation can generate broadcast-style output rather than a local response.

VirusTotal

65/65 vendors flagged this skill as clean.

View on VirusTotal

Static analysis

No suspicious patterns detected.