Security audit

SMC Multi-Strategy Paper Trader

Security checks across malware telemetry and agentic risk

Overview

The skill mostly behaves like a paper-trading monitor, but it also silently uses a local GitHub token to publish portfolio data despite saying no credentials are needed.

Install only if you are comfortable reviewing or disabling the GitHub sync code first. Run it in an environment without ~/.github_token unless you intentionally want it to publish portfolio files to the hardcoded GitHub repository, and expect it to write local trading state under ~/.openclaw/workspace/trading.

SkillSpector

By NVIDIA

Vulnerability Patterns

Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
MCP Least PrivilegeUnderdeclared Capability, Wildcard Permission, Missing Permission Declaration
MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands

Findings (26)

Lp3

Medium

Category: MCP Least Privilege
Confidence: 85% confidence
Finding: The skill declares no permissions while its documented behavior and referenced scripts imply network access, shell execution, and likely environment/file access. This mismatch weakens user consent and sandboxing because operators may run a skill with broader capabilities than disclosed, increasing the chance of unintended external communication or local data exposure.

Tp4

High

Category: MCP Tool Poisoning
Confidence: 97% confidence
Finding: The documented purpose says Binance public API only and no credentials needed, but the analyzed behavior includes reading a local GitHub token, contacting GitHub, and using additional third-party data sources. That discrepancy is dangerous because it can mislead users into exposing local secrets and permitting outbound data exfiltration to remote services they did not expect.

Description-Behavior Mismatch

High

Confidence: 97% confidence
Finding: The skill metadata claims it uses only Binance public APIs and needs no credentials, but the implementation also pulls data from FRED and Alternative.me and later performs authenticated GitHub writes. This creates a deceptive trust boundary: operators may approve or sandbox the skill under the assumption that it only performs market-data reads, while it actually has broader network reach and participates in external data transmission.

Context-Inappropriate Capability

High

Confidence: 99% confidence
Finding: The script reads a local GitHub token from ~/.github_token and uses it to make authenticated API calls that update a repository. For a paper-trading monitor advertised as requiring no credentials, this is an unexpected privileged capability that can exfiltrate portfolio data and abuse any repository permissions granted to the token if the skill is run in a more privileged environment.

Intent-Code Divergence

Medium

Confidence: 95% confidence
Finding: The header says 'no credentials needed,' which is contradicted by later code that reads a GitHub token and performs authenticated writes. This misrepresentation increases operational risk because reviewers or users may grant execution to the skill believing it is read-only and low risk, when it can actually consume local secrets and modify remote state.

Description-Behavior Mismatch

High

Confidence: 99% confidence
Finding: The skill metadata states Binance public API only and no credentials needed, but the code reads a local GitHub token and exfiltrates portfolio data to GitHub. This creates an undeclared credential dependency and an external write path that expands trust boundaries beyond paper trading, making the skill more dangerous because users would not expect authenticated outbound access.

Context-Inappropriate Capability

High

Confidence: 95% confidence
Finding: These helper functions implement authenticated GitHub API GET and PUT operations, enabling repository writes unrelated to the stated Binance-public-only monitoring purpose. Even if only used for portfolio sync, this capability materially increases the attack surface because any later code change or misuse can leverage local credentials for arbitrary repository modification.

Context-Inappropriate Capability

High

Confidence: 99% confidence
Finding: The code reads credential material from ~/.github_token despite the skill claiming that no credentials are needed. This mismatch is dangerous because it causes unexpected secret access on the host and can be abused to perform authenticated actions outside the user’s understanding of the skill’s behavior.

Description-Behavior Mismatch

High

Confidence: 99% confidence
Finding: The skill metadata claims Binance public API only and no credentials needed, but the script reads a local GitHub token and performs authenticated repository writes. That mismatch is security-relevant because users may run the skill under false assumptions, exposing local credentials and allowing unintended outbound data transmission.

Context-Inappropriate Capability

High

Confidence: 98% confidence
Finding: The code contains authenticated GitHub write capability unrelated to core paper-trading signal generation, which expands the skill's privilege boundary beyond its stated purpose. Any component that can read a token from disk and write to a remote repo can be abused for data exfiltration or unauthorized content modification if the environment is compromised or the script behavior changes.

Description-Behavior Mismatch

High

Confidence: 98% confidence
Finding: The skill metadata claims Binance-public-only, no-credentials operation, but the script reads a local GitHub token and performs authenticated repository writes. This creates a material mismatch between declared behavior and actual capability, which can mislead operators into granting trust to a component that exfiltrates or publishes trading data using credentials.

Context-Inappropriate Capability

High

Confidence: 92% confidence
Finding: The script contains generic authenticated GitHub GET/PUT helpers that enable repository modification beyond core market-data monitoring. In a paper-trading monitor, this is a privileged outbound write capability that increases attack surface and could be repurposed to alter repository contents or leak local state if the token scope is broad.

Description-Behavior Mismatch

High

Confidence: 99% confidence
Finding: The skill description claims Binance-public-only paper monitoring with no credentials needed, but the script also reads a local GitHub token and uploads portfolio data to a repository. This creates a clear capability mismatch: a monitoring script silently performs authenticated exfiltration of trading state to an external service, increasing trust risk and exposing local credential use beyond the stated purpose.

Context-Inappropriate Capability

High

Confidence: 98% confidence
Finding: The code reads a credential from ~/.github_token and performs authenticated repository writes, which is unrelated to the advertised Binance-public-only monitoring role. Even if intended for dashboard updates, this expands the trust boundary from passive market-data polling to authenticated modification of external resources, which can leak sensitive state or be abused if the repo target or content changes.

Context-Inappropriate Capability

Medium

Confidence: 87% confidence
Finding: The script writes operational notes into a general observations markdown file that is not disclosed in the skill summary. While this is not credential theft, it is hidden persistence and behavior expansion beyond pure paper monitoring, and it can leak strategy activity or clutter unrelated workspace notes.

Description-Behavior Mismatch

High

Confidence: 98% confidence
Finding: The skill description says no credentials are needed and implies a Binance-public-only paper monitor, but the code reads a local GitHub token and performs authenticated repository writes. This creates an undisclosed credential access and outbound data publication path that materially exceeds the stated capability and could expose portfolio activity or misuse the token if the repository target or content changes.

Context-Inappropriate Capability

High

Confidence: 96% confidence
Finding: Authenticated GitHub write access is not necessary for core paper-trading signal generation or local portfolio tracking, yet the script can modify remote repository contents. Any unnecessary write-capable external integration increases attack surface and can be abused for unauthorized data publication or repository tampering if the script is altered or run in a broader-trust environment.

Context-Inappropriate Capability

Medium

Confidence: 95% confidence
Finding: The code reads a credential file from the user's home directory despite the skill claiming no credentials are needed. Hidden secret access undermines trust boundaries and can cause operators to run the skill in environments where sensitive tokens are present without realizing they will be consumed.

Context-Inappropriate Capability

Medium

Confidence: 91% confidence
Finding: The script spawns a shell via execSync to run curl for FRED data, even though the URL is currently hardcoded. Invoking a shell increases attack surface unnecessarily, can inherit environment-based behavior, and creates command-execution risk if the series ID or URL construction is ever made user-influenced later. In a monitoring skill, direct HTTPS requests are safer and sufficient.

Missing User Warnings

Medium

Confidence: 98% confidence
Finding: The script silently reads a GitHub token and uses it for authenticated requests without any user-facing warning, consent prompt, or clear runtime disclosure. Hidden secret usage is dangerous because users may unknowingly expose a locally stored credential to code they believed only accessed public market data, and the token's scope may permit broader repository actions than expected.

Missing User Warnings

Medium

Confidence: 88% confidence
Finding: A sensitive GitHub token is loaded and immediately used for outbound authenticated requests with no meaningful user disclosure, approval step, or audit-friendly notice. This is risky because users may unknowingly grant the skill repository write authority, and any compromise or misuse of the script can turn that secret into a vehicle for unauthorized remote changes.

Missing User Warnings

Medium

Confidence: 97% confidence
Finding: The script silently reads a GitHub token from ~/.github_token and uses it in outbound requests without user-facing disclosure. This creates a credential-handling risk because operators may not expect local secret access from a paper-trading monitor, and any misuse or logging/telemetry around failures could expose sensitive operational details.

Missing User Warnings

Medium

Confidence: 95% confidence
Finding: The script silently reads a GitHub token from the user's home directory and uses it for outbound authenticated API calls without an explicit runtime warning or consent flow. This is dangerous because users may run the skill under the assumption it needs no credentials, while it actually consumes a local secret and transmits data to a third party.

Missing User Warnings

Medium

Confidence: 95% confidence
Finding: The script reads a GitHub token from a local file and immediately uses it in outbound authenticated API requests without any explicit user disclosure at runtime or in the manifest. This is dangerous because users may believe the skill is credential-free while it actually consumes local secrets and transmits data to a third party, undermining informed consent and increasing secret-handling risk.

Missing User Warnings

Medium

Confidence: 94% confidence
Finding: The script consumes a GitHub token from a local file and immediately uses it in outbound authenticated requests without prominent disclosure or consent. Even if the current code only updates one file, this silent secret use is dangerous because it normalizes hidden credential access and expands the blast radius if the code or destination is changed.

VirusTotal

64/64 vendors flagged this skill as clean.

View on VirusTotal