Is trading-coach safe?
https://clawhub.ai/BENZEMA216/trading-coach
This skill contains no executable code itself but instructs the LLM agent to clone an external GitHub repository and execute multiple unaudited Python scripts that process sensitive financial trading data. The external repository can be modified by the author at any time after skill publication, creating a persistent supply-chain attack vector. While no active malicious behavior was detected during installation monitoring, the architecture of deferring all execution to an unaudited external codebase represents a significant risk, especially given that the skill processes highly sensitive brokerage trade records.
Category Scores
Findings (9)
CRITICAL External repository clone and arbitrary Python execution -45 ▶
SKILL.md instructs the agent to 'git clone https://github.com/BENZEMA216/tradingcoach.git ~/tradingcoach' followed by pip install and execution of four Python scripts. The skill bundles zero source code - all functionality is deferred to an unaudited external repository that the skill author can modify at any time after skill publication. This is a classic supply-chain attack vector.
HIGH Unaudited pip dependencies installation -20 ▶
The skill instructs 'pip install -r requirements.txt' from the cloned repository. The requirements.txt is not included in the skill files and its contents are completely unknown. This could install any arbitrary Python packages, including typosquatted or compromised packages.
HIGH Sensitive financial data processed by unaudited external code -30 ▶
The skill processes user brokerage CSV files containing trade records, positions, P&L, and potentially account identifiers. This data is fed into externally-sourced Python scripts whose behavior cannot be verified from the skill contents alone. The scripts could easily exfiltrate this financial data.
MEDIUM Skill directs agent to execute shell commands without safeguards -25 ▶
The SKILL.md contains a complete bash code block that instructs the agent to clone a repo, create a virtual environment, install packages, and run scripts - all in sequence. There are no warnings to the user, no confirmation steps, and no sandboxing instructions. An LLM agent following these instructions would execute all commands automatically.
MEDIUM Config file generation from template could contain exfiltration endpoints -15 ▶
The instruction 'cp config_template.py config.py' copies a configuration template. Since the source repo is external and unaudited, config_template.py could contain hardcoded external API endpoints for data exfiltration disguised as analytics or market data services.
MEDIUM Broad trigger conditions increase attack surface -10 ▶
The skill's trigger conditions are very broad: any mention of CSV, trading analysis, performance review, or Chinese phrases like '帮我复盘' or '分析我的交易' could activate the skill. This increases the chance the agent will clone and execute the external repo in unintended contexts.
LOW Sensitive file reads during installation -25 ▶
During installation, the monitoring detected reads of .env, .aws/credentials, and auth-profiles.json. While these appear to be from the openclaw installer framework rather than the skill itself, they indicate the installation environment has access to sensitive credentials.
INFO Donation/payment solicitation in skill content -5 ▶
The skill includes solicitation for GitHub Sponsors, Buy Me a Coffee, and USDC cryptocurrency payments. While not malicious in itself, this is unusual for a security-sensitive tool and the USDC address is redacted with '联系获取地址' (contact to get address), which is a social engineering vector.
INFO Canary files intact 0 ▶
All honeypot files (fake .env, SSH keys, AWS credentials) were verified intact. No canary tampering detected.