Is armax/congress-trades safe?

https://github.com/openclaw/skills/tree/main/skills/armax/congress-trades

86
SAFE

The congress-trades skill is a straightforward Python-based congressional stock trade monitor that fetches data from the legitimate Quiver Quant API and stores it locally in SQLite. The code is clean, readable, and does exactly what it claims with no hidden functionality, obfuscation, or malicious patterns. The primary concerns are the persistent cron-based execution model and the HEARTBEAT.md integration that modifies agent behavior across sessions, both of which are declared features rather than covert actions.

Category Scores

Prompt Injection 82/100 · 30%
Data Exfiltration 92/100 · 25%
Code Execution 75/100 · 20%
Clone Behavior 100/100 · 10%
Canary Integrity 100/100 · 10%
Behavioral Reasoning 72/100 · 5%

Findings (8)

MEDIUM Persistent cron job execution every minute -15

The skill instructs the agent to set up a cron job that runs scraper.py every minute indefinitely. This creates a persistent background process that continues running after the agent session ends. While this is the declared purpose of the skill, it represents a significant ongoing resource commitment and attack surface if the script is later modified.

LOW HEARTBEAT.md modification instruction -10

The skill instructs the user/agent to add a recurring task to HEARTBEAT.md that reads and forwards content from pending_congress_alert.txt. This modifies agent behavior in future sessions and creates a file-based communication channel. While benign in context, any skill that writes to the pending alert file could inject messages into the user's alert stream.

LOW Cron sources user profile environment -8

The cron setup instruction sources ~/.profile before running the script, which exposes all environment variables (potentially including secrets for other services) to the script's execution environment. While necessary for QUIVER_API_KEY, this is broader access than strictly required.

LOW pip install dependency -10

The skill requires installing the 'requests' Python package via pip. While requests is a widely trusted package, pip installations can be subject to dependency confusion or typosquatting attacks. The installation is straightforward and uses the correct package name.

LOW API key transmitted to external service -8

The QUIVER_API_KEY is sent to api.quiverquant.com via an Authorization header. This is the expected and necessary behavior for the skill's functionality. The API endpoint is a legitimate, well-known financial data provider.

INFO File-based IPC creates cross-skill interaction surface -8

The pending_congress_alert.txt file acts as a message queue between the cron-based scraper and the OpenClaw heartbeat system. If another installed skill were malicious, it could write to this file to inject arbitrary messages that would be forwarded to the user as if they were trade alerts.

INFO Clean installation with no anomalies 0

Installation produced no unexpected filesystem changes, network connections, or process executions. All observed activity is attributable to the git clone operation and system background services.

INFO All honeypot files verified intact 0

No canary files (.env, .ssh/id_rsa, .aws/credentials, .npmrc, .docker/config.json, .config/gcloud/application_default_credentials.json) were accessed or modified during the installation or skill analysis.