Is astinz/deepbook-cli safe?

https://github.com/openclaw/skills/tree/main/skills/astinz/deepbook-cli

83
SAFE

This is a documentation-only skill providing CLI reference for the DeepBook cryptocurrency trading tool on the Sui blockchain. It contains no executable code, no prompt injection, and no data exfiltration attempts. The primary risks are the unaudited global npm package install (deepbook-cli) which subsequently receives cryptocurrency private keys, and the inherent danger of an AI agent executing irreversible financial transactions.

Category Scores

Prompt Injection 88/100 · 30%
Data Exfiltration 82/100 · 25%
Code Execution 70/100 · 20%
Clone Behavior 95/100 · 10%
Canary Integrity 100/100 · 10%
Behavioral Reasoning 60/100 · 5%

Findings (7)

HIGH Global npm install of unaudited third-party package -30

The skill instructs 'npm install -g deepbook-cli' which installs a globally-available npm package from the public registry. This package has not been audited as part of this skill review and could contain arbitrary preinstall/postinstall scripts that execute during installation. The package then receives private key material through subsequent config commands.

MEDIUM Private keys exposed via CLI arguments -12

The skill documents --private-key as a global flag, meaning cryptocurrency private keys can be passed as command-line arguments visible in process listings (ps aux), shell history files, and system audit logs. While --stdin is offered as an alternative for import-key, the global flag pattern normalizes insecure key handling.

MEDIUM Irreversible financial transaction execution by AI agent -25

The skill instructs the agent to execute real cryptocurrency trades including spot buys/sells, margin orders, and swaps on the Sui blockchain. Agent misexecution (wrong amount, wrong pool, mainnet vs testnet, skipping --dry-run) could result in irreversible financial loss. The skill recommends --dry-run but does not enforce it.

MEDIUM Supply chain trust chain: npm package receives wallet keys -15

The skill creates a trust chain where (1) an unaudited npm package is installed globally, then (2) the user's cryptocurrency private keys are imported into that package's config. If the deepbook-cli npm package were compromised via supply-chain attack, the attacker would gain direct access to wallet private keys.

LOW Wallet keys persisted in plaintext config file -6

The skill instructs storing private keys in ~/.deepbook/config.json via import-key command. This file likely stores keys in plaintext on disk, accessible to any process running as the same user.

INFO No prompt injection detected 0

SKILL.md is clean documentation with no hidden instructions, unicode tricks, HTML comments, or attempts to override system behavior. Content matches its stated purpose as a CLI reference guide.

INFO Clean installation with no anomalous behavior 0

Installation was a standard git sparse-checkout clone. No unexpected network connections, no filesystem changes outside the skill directory, no firewall-blocked connections, and no suspicious process execution.