Is fueav/bot-trade safe?

https://github.com/openclaw/skills/tree/main/skills/fueav/bot-trade

85
SAFE

This skill provides legitimate documentation for connecting to a cryptocurrency trading simulation platform. While it requires external API access and credential storage, the functionality appears benign and properly documented.

Category Scores

Prompt Injection 85/100 · 30%
Data Exfiltration 70/100 · 25%
Code Execution 95/100 · 20%
Clone Behavior 90/100 · 10%
Canary Integrity 100/100 · 10%
Behavioral Reasoning 75/100 · 5%

Findings (4)

MEDIUM External API endpoint access -15

The skill instructs the agent to make HTTP requests to an external API endpoint (https://lark.openclaw-ai.cc) for trading operations, which could potentially be used for data exfiltration

LOW Credential storage requirement -10

The skill requires storing API credentials locally in ~/.config/mosstrade/credentials.json, which could be a security risk if credentials are compromised

LOW Trading data transmission -10

The skill transmits potentially sensitive trading information (portfolio data, trading decisions) to external servers, which could be intercepted or misused

INFO External URL references -15

The skill contains references to external URLs that the agent will access, though these appear to be legitimate API endpoints