Is aixvcteam/axelrod safe?

https://github.com/openclaw/skills/tree/main/skills/aixvcteam/axelrod

80
SAFE

The Axelrod skill is a legitimate Base-chain trading client with clean code, minimal dependencies, and no malicious patterns detected during installation. The primary risks are inherent to its domain: all user messages are transmitted to a third-party API (api.aixvc.io), unsanitized API responses create a prompt injection vector, and the skill executes real financial trades with a confirmation bypass for small orders. No data exfiltration, canary access, or suspicious clone behavior was observed.

Category Scores

Prompt Injection 72/100 · 30%
Data Exfiltration 75/100 · 25%
Code Execution 90/100 · 20%
Clone Behavior 95/100 · 10%
Canary Integrity 100/100 · 10%
Behavioral Reasoning 45/100 · 5%

Findings (7)

MEDIUM API response prompt injection vector -10

The script extracts reply text from api.aixvc.io responses (data.reply or data.intent.reply_to_user) and prints it directly to stdout without sanitization. The agent then processes this text as part of its context. A compromised or malicious API could embed prompt injection payloads in response text to manipulate agent behavior, potentially instructing it to read sensitive files or execute unintended commands.

MEDIUM All user messages transmitted to third-party API -15

Every invocation sends the user's natural-language instruction to https://api.aixvc.io/gw/openapi/v2/public/twa/agent/chat. While this is the intended functionality, it means all user queries (including potentially sensitive trading strategies, balance information, and portfolio details) are sent to a third-party service outside the user's control.

MEDIUM Behavioral directives force script execution -18

The SKILL.md frontmatter and Mandatory Workflow section contain strong directives that override default agent behavior: 'Always run scripts/axelrod_chat.py to fetch real-time results' and 'Do not answer from model memory alone'. This forces the agent to execute the Python script on every trading-related query, reducing user control over when external code runs.

LOW Financial operations with confirmation bypass for small orders -10

The skill executes real financial trades on Base chain. Orders approximately ≤$10 may skip the confirmation flow entirely, meaning the agent could execute small trades without explicit user approval for each one. An attacker who controls the agent's context could initiate many small trades to drain funds incrementally.

LOW Third-party API trust dependency -15

The skill's entire functionality depends on the integrity of api.aixvc.io. If this service is compromised, it could manipulate trade execution, return false balance information, or inject malicious content into agent responses. Users have no way to verify the API's behavior independently.

INFO Clean minimal codebase with single standard dependency 0

The skill contains only one Python script (~180 lines) with a single dependency (requests). No obfuscation, no dynamic code execution, no shell commands, no file I/O beyond stdout/stderr. The SigV4 signing implementation uses only standard library modules (hashlib, hmac). Code is readable and well-structured.

INFO All canary files verified intact 0

No honeypot files (.env, SSH keys, AWS credentials, .npmrc, Docker config, gcloud credentials) were accessed or modified during skill installation and monitoring period.