Is cassh100k/crypto-alpha-scanner safe?

https://github.com/openclaw/skills/tree/main/skills/cassh100k/crypto-alpha-scanner

88
SAFE

The crypto-alpha-scanner skill is a straightforward Python market intelligence tool that fetches publicly available cryptocurrency data from three well-known APIs using only the Python standard library. The install process was clean — only GitHub was contacted, no credential files were accessed by the skill, all canary files remain intact, and the code contains no subprocess calls, eval, or local file reads. The primary residual risk is that unsanitized text from Polymarket and CoinGecko API responses is injected directly into agent output, creating a theoretical supply chain prompt injection vector; additionally, documentation references a non-included Telegram posting script that could be a social engineering hook.

Category Scores

Prompt Injection 85/100 · 30%
Data Exfiltration 88/100 · 25%
Code Execution 90/100 · 20%
Clone Behavior 88/100 · 10%
Canary Integrity 100/100 · 10%
Behavioral Reasoning 78/100 · 5%

Findings (5)

MEDIUM Unsanitized External API Content Injected into Agent Context -15

The get_polymarket_hot() and get_trending_coins() functions fetch arbitrary text from third-party APIs and insert it directly into the formatted output that the agent consumes. Specifically, Polymarket market question strings (truncated at 60 chars) and CoinGecko coin names are inserted verbatim. A compromised or adversarially configured API response could embed LLM instructions in this text, causing the consuming agent to execute unintended actions.

LOW Non-Existent Shell Script Referenced in Documentation -10

SKILL.md prominently documents a Telegram posting workflow that pipes scanner.py output through scripts/post_telegram.sh, but this script is absent from the skill files. Users following the Quick Start section would need to create this script themselves. If the author later adds this script to the repository, or if users are socially engineered into using a malicious version, it would have shell execution capabilities on the host.

LOW Internal Code Identity Does Not Match Published Skill Name -12

The Python script self-identifies as 'MoltAlpha Scanner v2' in its docstring and sends HTTP requests with User-Agent 'MoltAlpha/2.0', while the skill is published under the slug 'crypto-alpha-scanner'. This discrepancy indicates the code was taken from a different project and repackaged without updating internal identifiers, which reduces auditability and could complicate incident response.

INFO Outbound HTTP Connections to Three External Services on Each Invocation 0

The skill's intended operation generates HTTP requests to api.coingecko.com, api.alternative.me, and gamma-api.polymarket.com. No such connections were observed during the monitored install window (only GitHub was contacted), confirming the script was not auto-executed. Users should be aware that each invocation creates external network traffic.

INFO Credential File Accesses Pre-Date Skill Installation 0

Filesystem monitoring recorded accesses to .env, id_rsa, .aws/credentials, .npmrc, .docker/config.json, and GCP credentials at 13:25:17. The git clone did not begin until 13:25:22 — five seconds later. These accesses are consistent with the oathe audit framework placing canary files before monitoring begins. A second set of auditd PATH events for the same files at timestamp 1771939534 (post-install) aligns with the monitoring framework's post-install integrity check. The skill did not access credential files at any point.