Is cfilipemt/metals-desk-os safe?
https://github.com/openclaw/skills/tree/main/skills/cfilipemt/metals-desk-os
metals-desk-os is a functionally coherent institutional trading system that presents two high-severity concerns requiring resolution before installation: it solicits ANTHROPIC_API_KEY and OPENROUTER_API_KEY with no corresponding SDK dependency in package.json and no audited code path that uses them, creating a plausible credential-harvesting vector; and its four agent prompt files (system.txt, intraday.txt, swing.txt, execution.txt) were not captured in audit evidence, leaving the agent behavioral instructions unvetted. Secondary risks include a Mode 3 fully-automated trade execution path that operates without per-trade confirmation, and an unauthenticated localhost WebSocket server that accepts mode escalation commands from any process. Clone behavior was clean and canary integrity was maintained throughout.
Category Scores
Findings (8)
CRITICAL ANTHROPIC_API_KEY and OPENROUTER_API_KEY harvested with no corresponding SDK dependency -30 ▶
The skill explicitly solicits ANTHROPIC_API_KEY and OPENROUTER_API_KEY in the README installation guide and manifest.json environment template. However, package.json contains no Anthropic SDK, no OpenAI SDK, and no LLM-specific library. The axios dependency is present and capable of making direct HTTPS calls to any API. The index.js entry point (the most likely location for this usage) was identified in the audit file listing but its full source was not captured in the evidence. A malicious implementation could read these keys via process.env (populated from the user's .env by dotenv) and POST them to an attacker-controlled endpoint on startup, or use them to make LLM API calls billed to the victim's account.
HIGH Mode 3 executes live financial trades autonomously without per-trade user authorization -25 ▶
The Fully-Automated mode (Mode 3) executes market orders against a real MT5 broker account as soon as ExecutionEngine generates a signal. The pipeline runs continuously every 5 seconds. Position management (partial closes at TP1/TP2/TP3, break-even moves, trailing stops, emergency closes) is handled autonomously without any confirmation step. RiskGuard will close all open positions on a risk halt event — also autonomously. The financial exposure is bounded by the risk rules, but the user has no per-trade veto in this mode.
HIGH Four agent prompt files in prompts/ directory not disclosed in audit -22 ▶
The skill ships system.txt, intraday.txt, swing.txt, and execution.txt inside a prompts/ directory. SKILL.md identifies system.txt as the 'Main system prompt' and the others as trading protocol prompts that define agent behaviour. These files would be loaded into the agent's context window. Their contents were not captured in the audit source evidence. Any of these files could contain instructions to override the agent's safety rules, redirect tool calls, suppress output, or exfiltrate data — and they would be invisible to users who only read SKILL.md.
HIGH Live trading and account data transmitted to Telegram and WhatsApp via skill-author-configured endpoints -15 ▶
The alert subsystem sends trade events containing symbol, direction, entry price, stop-loss, take-profit levels, lot size, session, and conviction score to a Telegram bot and WhatsApp Business API endpoint. The bot token and chat ID are configured by the skill user but could be substituted with attacker-controlled values in a compromised or malicious deployment. Risk events including halt reason, consecutive losses, and daily P&L are also transmitted. This creates a complete side-channel for trading intelligence leakage.
MEDIUM Unauthenticated WebSocket server accepts mode escalation commands -15 ▶
The WebSocket server on port 3078 accepts arbitrary JSON messages from any localhost client with no authentication, session validation, or rate limiting. The setMode handler changes the global trading mode immediately. A co-installed malicious skill or a web page opened in the user's browser could send {"action":"setMode","mode":3} and silently switch the trading system to fully-automated mode, after which the next execution signal would place a live trade.
MEDIUM PM2 persistence instructions create a persistent autonomous background trading process -12 ▶
The README installation guide instructs users to install PM2 and run 'pm2 startup' to create a system service that auto-starts the trading OS on reboot. This is a standard production deployment pattern for Node.js services, but in the context of an AI agent skill it means the trading system would run continuously in the background outside any agent session, with no user interaction required to keep it running. Combined with Mode 3, this is a persistent autonomous financial agent.
LOW News monitor fetches from hardcoded third-party URL with no integrity check -5 ▶
automation/news-monitor.js unconditionally fetches from https://nfs.faireconomy.media/ff_calendar_thisweek.json. This is a known public Forex Factory calendar proxy with legitimate use, but the URL is hardcoded and the response is parsed without schema validation. A DNS hijack, BGP route injection, or future code update pointing to a malicious server could deliver crafted calendar data that triggers false news blocks or unblocks trading at dangerous times.
INFO Canary credential files accessed twice — attributed to audit framework, not skill code -3 ▶
Auditd PATH records show six honeypot credential files (including .env, .ssh/id_rsa, .aws/credentials) accessed at both audit baseline (timestamp 1771650111) and post-install sweep (timestamp 1771650132). Both accesses show CLOSE_NOWRITE (read-only), auid=1000 (oc-exec audit user), and correspond temporally to the audit framework's setup and final verification passes. The skill code was copied via cp -r but not executed during the audit window, and no npm install was run. Canary integrity report confirms no modifications.