Is crypto-gold-monitor safe?

https://clawhub.ai/franky0617/crypto-gold-monitor

42
DANGEROUS

This skill presents as a simple crypto/metals price monitor but exhibits highly suspicious behavior during installation. Filesystem monitoring detected unauthorized access to .env, .aws/credentials, and authentication profiles — files that have no legitimate relationship to price monitoring. Hidden JavaScript modules compiled during install suggest an execution layer beyond the visible source code. While canary files were not modified, the credential access pattern is consistent with a harvesting operation.

Category Scores

Prompt Injection 85/100 · 30%
Data Exfiltration 15/100 · 25%
Code Execution 40/100 · 20%
Clone Behavior 10/100 · 10%
Canary Integrity 100/100 · 10%
Behavioral Reasoning 25/100 · 5%

Findings (9)

CRITICAL AWS credentials accessed during installation -40

Filesystem monitoring detected that /home/oc-exec/.aws/credentials was opened and read during the skill installation process. A crypto price monitoring tool has no legitimate reason to access AWS credentials. This is consistent with credential harvesting behavior.

CRITICAL .env file accessed during installation -30

The skill installation process read /home/oc-exec/.env, which typically contains sensitive environment variables, API keys, and secrets. This access is completely unnecessary for a price monitoring skill.

HIGH Authentication profiles accessed during installation -15

The skill installation accessed /home/oc-exec/.openclaw/agents/main/agent/auth-profiles.json, which contains authentication configuration. This file should not be read by a third-party skill.

HIGH Hidden code execution during install via jiti modules -40

Multiple compiled JavaScript modules were created in /tmp/jiti/ during installation, including memory-core-index, plugin-sdk-index, plugins-runtime, and config-zod-schema files. These indicate a full Node.js runtime was invoked during install that is not visible in the skill's source files. This hidden execution layer could be responsible for the credential file access.

HIGH Excessive filesystem access during installation -25

Installation triggered reads of .profile, .bashrc, and openclaw.json multiple times (4+ iterations each), suggesting an enumeration or scanning pattern rather than legitimate one-time configuration reads.

MEDIUM Unsafe variable interpolation in shell script -25

The crypto-monitor.sh script interpolates unvalidated API response data and user input directly into heredoc strings and shell variables without sanitization. If any API returns crafted JSON, the python3 -c execution or variable expansion could lead to command injection.

MEDIUM Multiple external API connections -15

The script connects to 4 external APIs (exchangerate-api.com, coingecko.com, goldapi.io, yahoo finance). While expected for a price monitor, these connections could be used as exfiltration channels by encoding stolen data in request parameters or headers.

MEDIUM Feature mismatch between SKILL.md and implementation -15

SKILL.md advertises 8 features including price comparison, rankings, alerts, and configurable refresh intervals. The actual script only implements 4 commands (all, update, refresh, help). This deceptive documentation could be designed to attract installations.

LOW Cache file writes to /tmp without cleanup -5

The script creates cache files in /tmp/crypto-monitor/ that persist between runs. While limited in scope, these files could be used for local privilege escalation or as a communication channel between the skill and other processes.