Back to skill

Security audit

Btc Price Tracker

Security checks across malware telemetry and agentic risk

Overview

This is a coherent Bitcoin price alert skill with expected network and local storage behavior, though users should understand that Telegram alerts may leave the local environment if enabled.

Install only if you are comfortable with the skill calling CoinGecko for Bitcoin prices and storing alert names, thresholds, and cached prices in local JSON files. If you enable Telegram/OpenClaw Gateway notifications, assume alert names, prices, and trigger text may be sent to Telegram; avoid sensitive alert names. The bundled virtual environment is packaging noise but did not show malicious behavior in the reviewed artifacts.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
  • Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
Findings (2)

Missing User Warnings

Medium
Confidence
95% confidence
Finding
The README advertises Telegram notifications and states they are automatically configured in the OpenClaw environment, but it does not clearly warn users that alert names, trigger conditions, and price data may be sent to external services through Telegram/OpenClaw Gateway. This can mislead users into assuming the tool is entirely local, especially because the security section says all alert data is stored locally.

Missing User Warnings

Medium
Confidence
90% confidence
Finding
The skill explicitly describes sending alert notifications through Telegram and references a bot token, but it does not clearly warn users that alert content will be transmitted to an external third-party service. This is a real privacy/transparency issue because users may not realize operational or financial-interest data in alert names and thresholds leaves the local environment when notifications are enabled.

VirusTotal

66/66 vendors flagged this skill as clean.

View on VirusTotal

Static analysis

Detected: suspicious.dynamic_code_execution, suspicious.exposed_secret_literal, suspicious.insecure_tls_verification

Dynamic code execution detected.

Critical
Code
suspicious.dynamic_code_execution
Location
venv/lib/python3.12/site-packages/pip/_vendor/distlib/wheel.py:131

Dynamic code execution detected.

Critical
Code
suspicious.dynamic_code_execution
Location
venv/lib/python3.12/site-packages/pip/_vendor/pygments/formatters/__init__.py:91

Dynamic code execution detected.

Critical
Code
suspicious.dynamic_code_execution
Location
venv/lib/python3.12/site-packages/pip/_vendor/pyparsing/results.py:57

Dynamic code execution detected.

Critical
Code
suspicious.dynamic_code_execution
Location
venv/lib/python3.12/site-packages/pip/_vendor/typing_extensions.py:1251

File appears to expose a hardcoded API secret or token.

Critical
Code
suspicious.exposed_secret_literal
Location
venv/lib/python3.12/site-packages/pip/_internal/network/auth.py:93

File appears to expose a hardcoded API secret or token.

Critical
Code
suspicious.exposed_secret_literal
Location
venv/lib/python3.12/site-packages/pip/_vendor/requests/adapters.py:214

File appears to expose a hardcoded API secret or token.

Critical
Code
suspicious.exposed_secret_literal
Location
venv/lib/python3.12/site-packages/pip/_vendor/requests/sessions.py:323

File appears to expose a hardcoded API secret or token.

Critical
Code
suspicious.exposed_secret_literal
Location
venv/lib/python3.12/site-packages/pip/_vendor/urllib3/connection.py:423

File appears to expose a hardcoded API secret or token.

Critical
Code
suspicious.exposed_secret_literal
Location
venv/lib/python3.12/site-packages/pip/_vendor/urllib3/connectionpool.py:988

File appears to expose a hardcoded API secret or token.

Critical
Code
suspicious.exposed_secret_literal
Location
venv/lib/python3.12/site-packages/pip/_vendor/urllib3/contrib/_securetransport/low_level.py:231

File appears to expose a hardcoded API secret or token.

Critical
Code
suspicious.exposed_secret_literal
Location
venv/lib/python3.12/site-packages/pip/_vendor/urllib3/contrib/socks.py:102

File appears to expose a hardcoded API secret or token.

Critical
Code
suspicious.exposed_secret_literal
Location
venv/lib/python3.12/site-packages/requests/adapters.py:258

File appears to expose a hardcoded API secret or token.

Critical
Code
suspicious.exposed_secret_literal
Location
venv/lib/python3.12/site-packages/requests/sessions.py:323

File appears to expose a hardcoded API secret or token.

Critical
Code
suspicious.exposed_secret_literal
Location
venv/lib/python3.12/site-packages/urllib3/connection.py:807

File appears to expose a hardcoded API secret or token.

Critical
Code
suspicious.exposed_secret_literal
Location
venv/lib/python3.12/site-packages/urllib3/connectionpool.py:1073

File appears to expose a hardcoded API secret or token.

Critical
Code
suspicious.exposed_secret_literal
Location
venv/lib/python3.12/site-packages/urllib3/contrib/socks.py:116

HTTPS certificate verification is disabled.

Warn
Code
suspicious.insecure_tls_verification
Location
venv/lib/python3.12/site-packages/pip/_internal/network/session.py:304

HTTPS certificate verification is disabled.

Warn
Code
suspicious.insecure_tls_verification
Location
venv/lib/python3.12/site-packages/pip/_vendor/distlib/wheel.py:183

HTTPS certificate verification is disabled.

Warn
Code
suspicious.insecure_tls_verification
Location
venv/lib/python3.12/site-packages/pip/_vendor/truststore/_macos.py:353

HTTPS certificate verification is disabled.

Warn
Code
suspicious.insecure_tls_verification
Location
venv/lib/python3.12/site-packages/pip/_vendor/truststore/_windows.py:443

HTTPS certificate verification is disabled.

Warn
Code
suspicious.insecure_tls_verification
Location
venv/lib/python3.12/site-packages/pip/_vendor/urllib3/connection.py:454

HTTPS certificate verification is disabled.

Warn
Code
suspicious.insecure_tls_verification
Location
venv/lib/python3.12/site-packages/pip/_vendor/urllib3/contrib/pyopenssl.py:113

HTTPS certificate verification is disabled.

Warn
Code
suspicious.insecure_tls_verification
Location
venv/lib/python3.12/site-packages/pip/_vendor/urllib3/contrib/securetransport.py:795

HTTPS certificate verification is disabled.

Warn
Code
suspicious.insecure_tls_verification
Location
venv/lib/python3.12/site-packages/pip/_vendor/urllib3/util/ssl_.py:137

HTTPS certificate verification is disabled.

Warn
Code
suspicious.insecure_tls_verification
Location
venv/lib/python3.12/site-packages/urllib3/connection.py:951

HTTPS certificate verification is disabled.

Warn
Code
suspicious.insecure_tls_verification
Location
venv/lib/python3.12/site-packages/urllib3/contrib/pyopenssl.py:84

HTTPS certificate verification is disabled.

Warn
Code
suspicious.insecure_tls_verification
Location
venv/lib/python3.12/site-packages/urllib3/util/ssl_.py:353