Is ai-chen2050/moltrade safe?
https://github.com/openclaw/skills/tree/main/skills/ai-chen2050/moltrade
The moltrade skill is a trading bot integration that contains no malicious code itself but instructs the agent to clone and execute unaudited Python code from an external repository (hetu-project/moltrade), creating a significant supply chain risk. The skill handles extremely sensitive financial data including wallet private keys and exchange API credentials, and supports live trading that places real orders. While installation monitoring showed clean behavior and all canary files remained intact, the combination of external code execution and financial key handling warrants careful review before use.
Category Scores
Findings (9)
CRITICAL Unaudited external code execution via pip install -40 ▶
The skill instructs the agent to clone an external repository (github.com/hetu-project/moltrade) and run 'pip install -r requirements.txt'. This executes arbitrary Python code from an unaudited source. The requirements.txt and any transitive dependencies can contain setup.py scripts that execute during installation. None of this code is part of the audited skill package.
HIGH Agent handles wallet private keys and exchange credentials -15 ▶
The skill instructs the agent to manage config files containing wallet private keys, exchange API credentials, and Nostr nsec keys. The init wizard (python main.py --init) prompts for wallet private key entry. If the agent is compromised or the external code is malicious, these credentials could be exfiltrated.
HIGH Real financial risk from live trading mode -30 ▶
The skill supports live trading that places real orders on exchanges (e.g., Hyperliquid). The only safeguard is a textual instruction to 'require explicit consent.' There are no technical guardrails, spending limits, or confirmation mechanisms built into the skill instructions. An agent could inadvertently switch to live mode.
MEDIUM Broad agent permissions for financial operations -10 ▶
The skill grants the agent broad operational scope including managing exchange configurations, running trading bots, broadcasting signals to Nostr relays, and handling cryptographic keys. While no injection techniques are used, the breadth of permissions exceeds what most users would expect from a skill installation.
MEDIUM Multiple unaudited Python script executions -15 ▶
Beyond pip install, the skill instructs running multiple Python scripts from the cloned external repository: main.py (with --init, --test, and live modes), backtest.py, and strategy integration scripts. None of this code is included in the audited skill package.
MEDIUM Nostr signal broadcasting sends trade data externally -7 ▶
The skill's core functionality includes broadcasting trade signals and execution reports to external Nostr relay servers. While this is the stated purpose, it creates a data exfiltration channel for trade activity, positions, and potentially strategy information.
LOW External image URL in markdown -3 ▶
The SKILL.md includes an external image reference that will be rendered when the skill is displayed. While this is a standard markdown image and not an attack vector in most contexts, it does make a request to an external server.
INFO Clean installation with expected network activity -5 ▶
The skill installation only made connections to GitHub (for cloning) and standard Ubuntu system services. No unexpected processes were spawned and no filesystem changes occurred outside expected paths.
INFO Safety instructions present but insufficient -5 ▶
The skill includes safety guidelines ('Never print or commit private keys', 'Default to test mode', 'require explicit consent for live trading') which show awareness of risks, but these are textual instructions that can be bypassed, not technical enforcement mechanisms.