Is brendanwood/snaptrade safe?

https://github.com/openclaw/skills/tree/main/skills/brendanwood/snaptrade

78
CAUTION

The SnapTrade portfolio skill is a legitimate brokerage integration with no malicious code, prompt injection attempts, or credential harvesting patterns. Its primary risks are functional rather than adversarial: the skill can execute real stock market orders via place_force_order with no confirmation gate, stores financial API credentials in a plaintext local file accessible to co-resident skills, and instructs the agent to transmit portfolio balances via WhatsApp on a recurring cron schedule. These risks are inherent to what the skill does rather than evidence of malicious intent, but they make this skill high-stakes and unsuitable for deployment without explicit review of the agent's isolation model and trust boundaries.

Category Scores

Prompt Injection 92/100 · 30%
Data Exfiltration 70/100 · 25%
Code Execution 60/100 · 20%
Clone Behavior 88/100 · 10%
Canary Integrity 100/100 · 10%
Behavioral Reasoning 50/100 · 5%

Findings (10)

HIGH Real Stock Order Execution via place_force_order -30

snaptrade_order.py calls client.trading.place_force_order() which submits live market or limit orders to connected brokerages with no confirmation step. A malicious or prompt-injected agent could place unauthorized buy/sell orders on a user's live brokerage account. The 'force' endpoint bypasses some broker-side pre-flight checks.

HIGH Financial Manipulation Risk via Agent Prompt Injection -25

Any prompt injection delivered to an agent running this skill could trigger real financial transactions. The skill provides no transaction confirmation gate, no dollar-amount limit, no watchdog, and no rollback mechanism. A single adversarial instruction could drain a brokerage account.

MEDIUM Financial Portfolio Data Transmitted via WhatsApp -15

SKILL.md step 4 instructs the agent to send portfolio balance data via WhatsApp message. WhatsApp is a third-party messaging platform; this creates an ongoing side channel for sensitive financial data outside the user's primary secure context. If WhatsApp credentials are compromised, portfolio data is continuously exposed.

MEDIUM Full Trade Permissions Requested via connection_type=trade -10

Both the portal and reconnect scripts request connection_type='trade', granting full read+write brokerage access. A read-only connection_type='read' would suffice for portfolio reporting. The elevated permission is used by the order script but creates unnecessary exposure for reporting-only use cases.

MEDIUM Financial API Credentials Stored in Local Plaintext JSON -15

The skill stores client_id, consumer_key, and user_secret in a plaintext JSON file at ~/.openclaw/workspace/secrets/snaptrade.json. While chmod 600 is applied, any co-installed skill or process running as the same user can read this file and gain full SnapTrade API access including trading capabilities.

LOW Co-Resident Skills Can Access SnapTrade Credentials -15

The credentials file at ~/.openclaw/workspace/secrets/snaptrade.json is accessible to any skill running as the same user. A malicious co-installed skill could read client_id, consumer_key, and user_secret and independently execute trades without user awareness.

LOW Autonomous Cron Scheduling Creates Persistent Data Disclosure Loop -10

The SKILL.md instructs scheduling snaptrade_total.py via cron with automatic WhatsApp dispatch. This creates a persistent autonomous loop that continuously exfiltrates financial data to WhatsApp without ongoing user consent or session-bound control.

LOW WhatsApp Dispatch Instruction Grants Skill Influence over Agent Messaging -8

By instructing the agent to send WhatsApp messages as part of normal workflow, the skill gains implicit influence over the agent's outbound messaging channel. If the SnapTrade API returns adversarial content in account names or holdings, it could reach the WhatsApp message.

INFO GitHub-Only Network Activity During Install 0

All network activity during skill installation was to github.com (140.82.121.4:443) for the monorepo sparse checkout. No connections to unexpected endpoints, no DNS queries to suspicious domains, no post-install callbacks.

INFO Canary File Reads Attributed to Audit Framework 0

Canary files (.env, .ssh/id_rsa, .aws/credentials, etc.) were opened at timestamp 1771926208 — before the git clone began at 1771926214. A second access at 1771926232 occurred after skill examination. Both clusters are consistent with audit framework baseline and integrity-check phases. Skill code contains no logic to access these paths.