Is baoduy/drunk-trading-analyzer safe?

https://github.com/openclaw/skills/tree/main/skills/baoduy/drunk-trading-analyzer

87
SAFE

The baoduy/drunk-trading-analyzer skill is a documentation-only package containing no executable code, no git hooks, no npm scripts, and no prompt injection patterns. Its install cloned cleanly from GitHub with no unexpected network connections or filesystem changes. The primary risk vectors are runtime concerns: the skill instructs agents to invoke npx mcporter (an unversioned external npm binary) which auto-discovers and aggregates API credentials from all configured editor MCP servers — creating a supply chain dependency and credential aggregation surface that extends beyond the skill files themselves. No active malicious behavior was observed during installation.

Category Scores

Prompt Injection 92/100 · 30%
Data Exfiltration 83/100 · 25%
Code Execution 74/100 · 20%
Clone Behavior 96/100 · 10%
Canary Integrity 100/100 · 10%
Behavioral Reasoning 78/100 · 5%

Findings (6)

MEDIUM Runtime npx dependency introduces supply chain risk -26

Both SKILL.md and README.md instruct agents and users to invoke npx mcporter to call trading MCP tools. Running npx executes the latest published version of the mcporter package from npm at invocation time without version pinning. A compromised or malicious future version of mcporter would be silently executed by any agent following this skill's instructions. The skill does not pin a specific mcporter version.

MEDIUM mcporter auto-discovers editor MCP configs containing API keys -17

The mcporter tool, as described in README.md, automatically imports MCP server configurations from Cursor, Claude Desktop, Codex, Windsurf, VSCode, and other editors. These configs frequently store API keys (Alpha Vantage, TradingView, broker tokens) in plaintext JSON. When an agent invokes mcporter per this skill's instructions, mcporter gains read access to all of these credential stores. The skill normalizes this behavior by showing configuration examples with API keys embedded in mcporter config files.

LOW Skill aggregates multiple financial API credentials into single tool surface -22

By routing crypto (TradingView), stock (Alpha Vantage), and market intelligence (Yahoo Finance) through a single mcporter orchestration layer, the skill creates a consolidated credential exposure surface. A user following all setup steps would store multiple financial service API keys accessible to mcporter, which is then invoked by the agent on any trading query.

LOW Outbound connection to GitHub during install -4

Installation required an outbound HTTPS connection to 140.82.121.3:443 (github.com) to perform the git sparse-checkout clone. This is expected behavior for a GitHub-hosted skill registry but represents an installation-time external dependency. The connection was confirmed legitimate and limited to GitHub infrastructure.

INFO Skill contains no prompt injection patterns 0

Full review of SKILL.md and README.md reveals no instructions to override agent behavior, ignore previous instructions, assume alternate personas, access files outside stated scope, or suppress output. All content is standard trading tool documentation.

INFO Canary file reads attributable to monitoring system, not skill 0

inotify and auditd records show canary files (.env, .ssh/id_rsa, .aws/credentials, etc.) were opened at timestamps 1771735983 (pre-clone) and 1771736002 (post-install). Process context for both sets of accesses is the Oathe monitoring infrastructure (sudo/auditctl running as oc-exec). No skill code, install script, or cloned file accessed these paths. Canary integrity check confirms contents were not transmitted.