Is hmzo/crypto-market-analyzer safe?
https://github.com/openclaw/skills/tree/main/skills/hmzo/crypto-market-analyzer
The crypto-market-analyzer skill is a functional, well-scoped tool that fetches public Binance OHLCV data and computes standard technical indicators. The SKILL.md contains no prompt injection attempts, the Python script's only external endpoint is the legitimate Binance public API, and no credential reading or exfiltration code exists anywhere in the skill. The credential-file opens observed during monitoring are timing- and context-consistent with the oathe audit framework's own pre/post-install canary verification passes rather than any skill-originated behavior, and all canary files remain unmodified with no suspicious outbound traffic. The primary residual concerns are a scheduled-execution design that expands agent scope to include cron management and messaging-channel access, and a Python NameError bug in the MACD analysis branch.
Category Scores
Findings (5)
MEDIUM Credential files accessed during monitoring window — attributed to audit framework canary verification -18 ▶
Six sensitive credential-adjacent files (.env, .ssh/id_rsa, .aws/credentials, .npmrc, .docker/config.json, GCloud application_default_credentials.json) were opened at the very start of monitoring (epoch 1771907166, before git clone at 1771907171) and again post-install (epoch 1771907189). No EXECVE record from the skill's own Python code, SKILL.md instructions, or install script accounts for these opens. The timing of the first access (coincident with the 'ss -tunap' baseline capture and sudo invocation) and the post-install second pass, combined with CLOSE_NOWRITE on all files and intact canary hashes, are consistent with the oathe audit framework performing its own pre/post-install canary-readability verification. The skill is assessed as not responsible, but the anomaly is retained as a medium finding because definitive attribution to the audit framework cannot be established solely from the evidence provided.
LOW Scheduled execution section requests persistent cron and messaging channel access -7 ▶
SKILL.md's Scheduled Execution section instructs the agent to create a system cron job running daily at 02:00 UTC and to send the resulting report to the user 'via messaging channel'. While this is not a classic prompt injection attack, it requests agent actions (cron creation, messaging system access) that expand well beyond the skill's stated read-only analysis function and that a user might not anticipate when installing a crypto analysis tool.
LOW Python script issues outbound HTTPS requests to Binance API on every invocation -15 ▶
When the agent runs fetch_crypto_data.py, it makes up to 4 HTTPS GET requests to api.binance.com/api/v3/klines (2 symbols × 2 intervals). The endpoint is a well-known public market data API requiring no authentication. The requests are transparent and rate-limit-compliant per SKILL.md. Users should be aware that every invocation of this skill sends outbound network traffic.
INFO NameError bug in analyze_sentiment() MACD-weakening branch 0 ▶
The variable 'bearishr_signals' on the MACD-weakening path is a typo for 'bearish_signals'. Python will raise a NameError ('name bearishr_signals is not defined') when MACD is positive but its histogram is negative, silently degrading sentiment output for that case. This is a code quality defect with no security implication.
INFO Daily automated execution creates a persistent outbound data surface -17 ▶
Once scheduled, the skill executes daily and routes structured market data to a messaging channel endpoint. In isolation this is benign. If that messaging channel's configuration is later modified (by a malicious companion skill or social engineering) the daily execution becomes a reliable exfiltration schedule. Users enabling the cron feature should verify the messaging destination is exclusively user-controlled.