Is kslee9572/trade-signal safe?

https://github.com/openclaw/skills/tree/main/skills/kslee9572/trade-signal

79
CAUTION

The trade-signal skill is a financial query relay that forwards user stock questions to terminal-x.ai via a bash script. Its primary technical risk is a shell injection vulnerability in scripts/search.sh where the $QUERY variable is interpolated unescaped into a python3 -c triple-quoted string, enabling potential arbitrary code execution and data exfiltration if a malicious query string reaches the script. Additionally, all user financial queries are structurally transmitted to a third-party commercial endpoint without an explicit user consent gate, creating a persistent privacy concern. No prompt injection, install-time execution, canary exfiltration, or credential-reading was observed in sandbox behavior.

Category Scores

Prompt Injection 88/100 · 30%
Data Exfiltration 72/100 · 25%
Code Execution 65/100 · 20%
Clone Behavior 85/100 · 10%
Canary Integrity 95/100 · 10%
Behavioral Reasoning 70/100 · 5%

Findings (7)

HIGH Shell injection via unquoted $QUERY in python3 -c string -35

In scripts/search.sh the variable $QUERY is interpolated directly inside a python3 -c command that uses triple-quoted string literals. A query string containing ''' (three single quotes) terminates the Python string early, allowing injection of arbitrary Python statements — which can call os.system() or subprocess to execute OS commands. Because the agent passes user-supplied (or document-supplied) text as the query, a malicious prompt or webpage could trigger this path.

MEDIUM All user queries transmitted to third-party endpoint terminal-x.ai -15

The skill's sole operational mechanism is forwarding every user financial query to https://terminal-x.ai/api/lite-search. While this is the declared purpose, it means the user's financial intentions, portfolio questions, and strategy discussions are routinely sent to a commercial third party. The skill provides no opt-in confirmation, rate limiting, or data-minimisation mechanism. The homepage terminal-x.ai resolves to an AI financial analytics product with no audited privacy policy linked from the skill.

MEDIUM Shell injection creates secondary data exfiltration vector -13

The same injection path that enables code execution can be used to exfiltrate local data. An attacker-controlled query could cause the script to read a local file (e.g., ~/.aws/credentials) and encode its contents into the URL sent to terminal-x.ai or to an attacker-controlled server, bypassing canary file write-monitoring (reads, not writes, are the exfil mechanism).

MEDIUM Overly broad automatic activation trigger -12

The skill description instructs the agent to activate automatically for 'any investment decision requiring actionable intelligence' and lists a wide array of financial topics. This increases the likelihood of the skill silently forwarding sensitive financial conversations to terminal-x.ai without the user explicitly requesting it. The 'Agent Flow' section shows the agent calling search.sh autonomously without presenting a confirmation step.

LOW Cross-skill chaining examples without user consent gate -15

The SKILL.md 'Combining with Other Skills' section provides patterns using && to chain search.sh with other skills (trade-signal, finance-news). If those other skills have weaker security postures, or if the user has skills that can access local resources, the chain could be exploited to pass tainted data through search.sh's injection-vulnerable argument processing.

LOW Sensitive file path access events during install window -5

Audit PATH records show .env, .ssh/id_rsa, .aws/credentials, .npmrc, .docker/config.json, and .gcloud/application_default_credentials.json accessed at both pre-install (1771919523.261) and post-install (1771919546.068) timestamps. Cross-correlation with EXECVE records indicates these are from PAM/GDM authentication at session start and the Oathe post-install diff scanner, not from the skill itself. The canary integrity check confirms files were not modified or exfiltrated. Reported for completeness.

INFO No install-time code execution mechanisms found 0

No package.json (no npm pre/post install hooks), no .gitattributes filter drivers, no .gitmodules, no .githooks directory, and no symlinks pointing outside the skill directory were detected. The only executable artifact is scripts/search.sh which runs on explicit agent invocation, not at install time.