Is alexander-panov/finam safe?

https://github.com/openclaw/skills/tree/main/skills/alexander-panov/finam

83
SAFE

The alexander-panov/finam skill is a well-structured Finam brokerage API integration with no malicious prompt injection, no anomalous exfiltration, and clean install behavior. Its primary risk is inherent to its purpose: it grants an AI agent direct control over live financial trading with only AI-instructed (not technically enforced) user confirmation as a safeguard, and stores a live JWT in the shell environment accessible to co-installed skills. No evidence of malicious intent was found, but the financial risk surface is high enough to warrant careful review before deployment.

Category Scores

Prompt Injection 87/100 · 30%
Data Exfiltration 78/100 · 25%
Code Execution 80/100 · 20%
Clone Behavior 92/100 · 10%
Canary Integrity 90/100 · 10%
Behavioral Reasoning 62/100 · 5%

Findings (9)

HIGH AI-controlled live financial trading with soft confirmation only -38

The skill instructs the AI agent to execute real buy/sell orders and cancellations against a live Finam brokerage account. The only safeguard against unauthorized execution is an instruction in SKILL.md telling the AI to confirm with the user first. This is a behavioral constraint, not a technical one — a sufficiently persuasive user prompt, a prompt injection from market data, or an AI reasoning error could bypass it, resulting in real financial losses.

MEDIUM JWT token in environment accessible to co-installed skills -10

The setup block exports FINAM_JWT_TOKEN into the shell environment. Any other skill active in the same agent session with shell tool access could read this token via echo $FINAM_JWT_TOKEN or env and use it to make authenticated Finam API calls, including placing trades or reading account balances, without the user's knowledge.

MEDIUM API key transmitted to external server on each session -12

The Setup section instructs the agent to send FINAM_API_KEY in a curl POST body to api.finam.ru to obtain a JWT. While the endpoint is HTTPS and appears legitimate, the key is interpolated into a shell argument, making it visible in process listings during execution and potentially in shell history files.

MEDIUM Financial account data transmitted to third-party API by design -10

Portfolio positions, cash balances, P&L, order book depth, and trade history are all retrieved from and sent to api.finam.ru under the user's credentials. This is the intended function of the skill but means sensitive financial data flows through an external service on every invocation.

LOW Setup block auto-authenticates without explicit user prompt -8

The SKILL.md Setup section is framed as something to 'obtain and store JWT token before using the API' and notes the credentials are 'already set'. This pattern encourages the AI to execute the credential-bearing curl as a precondition before the user asks for anything, rather than only on demand.

LOW Bundled Python script with external API calls -10

scripts/volatility.py is a non-trivial Python script that makes HTTP requests to api.finam.ru. Its behavior appears consistent with its described purpose (volatility scanner), but it executes with the agent's full privileges and network access.

LOW Inline Python processes external XML without sandboxing -10

The news-fetching commands pipe RSS XML from Finam's servers into python3 -c using xml.etree.ElementTree. While ET is not vulnerable to XXE by default in Python 3, it processes attacker-influenced content (remote RSS) without input validation.

INFO Install connected only to GitHub as expected -8

The only external network connection during installation was to 140.82.121.3:443 (github.com) for the git clone of the openclaw/skills monorepo. This is expected behavior and no anomalous destinations were observed.

INFO Canary file accesses attributed to audit infrastructure, not skill -10

Honeypot files (.env, .ssh/id_rsa, .aws/credentials, .npmrc, .docker/config.json, gcloud credentials) showed OPEN/ACCESS events at pre-install (1771652446.708) and post-install (1771652468.291) timestamps. Timing analysis places both access sets within the Oathe audit setup/teardown window, not within the skill install or any skill-spawned process execution window. Content was not modified.