Oathe Security Badge

Is ganyu21/trading-agents safe?

https://clawhub.ai/ganyu21/trading-agents

91
SAFE

This is a legitimate Chinese stock market analysis skill using the AgentScope framework for multi-agent financial analysis. While it accessed sensitive system files during installation and contains external webhook functionality, the core implementation appears benign and focused on stock market analysis.

Category Scores

Prompt Injection 95/100 · 30%
Data Exfiltration 85/100 · 25%
Code Execution 90/100 · 20%
Clone Behavior 95/100 · 10%
Canary Integrity 95/100 · 10%
Behavioral Reasoning 80/100 · 5%

Findings (4)

MEDIUM Sensitive File Access During Installation -15

The skill accessed multiple sensitive canary files including .env, SSH keys, AWS credentials, and Docker config during installation. While these appear to be system-level accesses during SSH/sudo operations rather than malicious skill behavior, it indicates the skill installation process has broad system access.

LOW External Notification Webhook Functionality 0

The skill contains DingTalk webhook functionality that can send messages to external services. While designed for legitimate stock analysis notifications, this could potentially be misused for data exfiltration if webhook URLs are compromised.

LOW Extensive Python Code Execution -10

The skill contains substantial Python code for stock market analysis using AgentScope framework. Code appears legitimate but represents significant executable surface area.

INFO External Financial Data Dependencies -20

The skill relies on external financial data APIs (Tushare, AKShare) and could potentially be used to exfiltrate trading strategies or financial data through its legitimate analysis functions.