Is crypto-price safe?

https://clawhub.ai/evgyur/crypto-price

82
SAFE

This is a legitimate cryptocurrency price lookup and charting skill. The Python script contacts only well-known APIs (CoinGecko, Hyperliquid), writes only to /tmp/, and contains no malicious code. The main concerns are the agent behavior directives in SKILL.md (a mild prompt injection pattern for output formatting) and the inherent attack surface of executing a substantial Python script. No data exfiltration, no malicious install behavior, and all canary files remained intact.

Category Scores

Prompt Injection 72/100 · 30%
Data Exfiltration 90/100 · 25%
Code Execution 75/100 · 20%
Clone Behavior 95/100 · 10%
Canary Integrity 100/100 · 10%
Behavioral Reasoning 75/100 · 5%

Findings (9)

MEDIUM Agent output behavior directive -18

SKILL.md instructs the agent to output a specific MEDIA: line format and prohibits alternative output formats. While functional for image delivery, this prescribes agent behavior beyond simple data retrieval, which is a mild prompt injection pattern.

LOW Imperative agent instructions in skill -10

SKILL.md uses imperative language directing the agent ('You must', 'Do not') which goes beyond describing functionality into controlling agent behavior.

LOW External API communication -10

Script contacts two external APIs (CoinGecko and Hyperliquid). While these are legitimate crypto data sources, they represent outbound data channels. The User-Agent header identifies the client as 'clawdbot-crypto-price/1.0'.

LOW Executable Python script with network access -15

The skill executes a substantial Python script (~800 lines) that makes HTTP requests. While the code is readable and appears benign, executable code in skills increases the attack surface compared to prompt-only skills.

INFO Duplicate function definitions -5

The script contains duplicate definitions of _post_json, _get_hyperliquid_meta, _hyperliquid_lookup, _pick_hyperliquid_interval_minutes, _interval_minutes_to_str, and _get_hyperliquid_candles. Python uses the last definition, so earlier duplicates are dead code. This suggests careless development but is not a security issue.

INFO pip dependency installation -5

requirements.txt specifies matplotlib>=3.5.0. pip install can execute arbitrary code from package setup scripts. matplotlib is a well-known, trusted package, but supply chain risk exists with any pip install.

INFO Host environment reads canary-adjacent files -5

Filesystem monitoring shows .env, .aws/credentials, .openclaw/openclaw.json, .profile, and .bashrc being read. These reads are attributable to the OpenClaw host environment startup (gateway lock file creation, jiti compilation), not to the skill itself.

INFO Predictable /tmp file paths -10

Chart PNGs are written to /tmp/crypto_chart_{SYMBOL}_{timestamp}.png. Predictable temp file names are a minor local attack vector (symlink/race condition), though exploitation requires local access.

INFO Multi-skill interaction risk -15

The MEDIA: output directive establishes a pattern where the agent sends a file from a path. If another malicious skill writes to /tmp/ and manipulates the agent into using this output pattern, it could be used as an exfiltration vector. This requires a separate compromised skill.