ClawHub

加密货币与贵金属监控(国内源)

PassAudited by VirusTotal on May 12, 2026.

Overview

Type: OpenClaw Skill Name: crypto-gold-monitor-cn Version: 1.0.0 The `crypto-monitor.sh` script contains a shell injection vulnerability in the `cmd_update` function. The `gold` and `silver` arguments are directly interpolated into an `echo` command that writes to `/tmp/crypto-monitor/metals_history.json` without proper sanitization, allowing for arbitrary command execution if a user provides malicious input (e.g., `$(command)`). Additionally, the script fetches precious metals data from `http://zhangliang.tideimg.com/data` over unencrypted HTTP, making it vulnerable to Man-in-the-Middle attacks and data tampering.

Findings (0)

Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.

Note
ASI04: Agentic Supply Chain Vulnerabilities
What this means

You may be installing a package whose internal identity does not exactly match the registry listing.

Why it was flagged

This embedded metadata differs from the supplied registry metadata, which lists a different owner ID, slug `crypto-gold-monitor-cn`, and version `1.0.0`. That is not malicious by itself, but it is a provenance/packaging mismatch users should verify.

Skill content
"ownerId": "kn736rzd6bc915rft5008bj5f97zzzpq", "slug": "crypto-gold-monitor", "version": "1.2.1"
Recommendation

Verify the publisher and package version before relying on it, especially because the source and homepage are not provided.

Note
ASI02: Tool Misuse and Exploitation
What this means

The tool will contact third-party price services, and the displayed prices may be affected if a provider is unavailable or if the HTTP data source is tampered with in transit.

Why it was flagged

The script uses fixed external API calls to fetch market data, including one plain HTTP endpoint. This is expected for the stated price-monitoring purpose, but data accuracy and integrity depend on those providers and the network path.

Skill content
curl -s --connect-timeout 3 "https://api.coingecko.com/api/v3/simple/price?..." ...; curl -s --connect-timeout 5 "http://zhangliang.tideimg.com/data"
Recommendation

Use the output as reference information only, as the skill itself also warns; do not treat it as authoritative trading or investment advice.