Is li-zoe-x/market-test-price safe?

https://github.com/openclaw/skills/tree/main/skills/li-zoe-x/market-test-price

93
SAFE

The li-zoe-x/market-test-price skill is a well-structured OKX DEX market price API client with no prompt injection, no malicious executable code, and no evidence of credential exfiltration. Honeypot file accesses occurred exclusively within the monitoring infrastructure's pre- and post-install canary verification phases, not during skill execution, and all canary files were confirmed intact. The primary residual concern is that the skill legitimately requires OKX API credentials in the agent context, which modestly increases the credential exposure surface for the duration the skill is active.

Category Scores

Prompt Injection 97/100 · 30%
Data Exfiltration 88/100 · 25%
Code Execution 93/100 · 20%
Clone Behavior 96/100 · 10%
Canary Integrity 97/100 · 10%
Behavioral Reasoning 85/100 · 5%

Findings (6)

LOW Honeypot credential files read during monitoring window -12

Six honeypot files (.env, .ssh/id_rsa, .aws/credentials, .npmrc, .docker/config.json, GCP application_default_credentials.json) were opened and read (all CLOSE_NOWRITE) at two points during the audit session. Pre-install accesses occurred at audit timestamp 1771907804.868, approximately 5.5 seconds before the skill install began at 1771907810.378. Post-install accesses occurred at 1771907822.246, after all skill files were in place. This dual-phase timing is characteristic of monitoring infrastructure canary setup and post-install verification, not skill-induced reads. No network connections to suspicious destinations coincide with either access window. Canary integrity confirmed fully intact.

LOW OKX_DEBUG mode prints partial request prehash to stdout -7

The _headers() method checks the OKX_DEBUG environment variable and, if set, prints the signing timestamp, prehash byte length, and up to 80 characters of the JSON request body to stdout. This is a debugging convenience feature that is off by default. If an agent's stdout is captured by logging middleware or another active skill, this output could expose API request timing and structure. The secret key itself is not printed, but the prehash structure is partially revealed.

INFO Canary files contacted in read-only mode; integrity confirmed -3

All canary files were accessed during the audit but with CLOSE_NOWRITE semantics (no modification). Access timing aligns with monitoring infrastructure operation rather than skill execution. Canary hashes confirmed unchanged post-install.

INFO Skill requires OKX API credentials in active agent context -15

The skill's required_context field mandates api_key, secret_key, and passphrase be available in the agent's context. These are necessary and appropriate for the OKX DEX API authentication scheme. However, while this skill is active, any other skill or prompt injection that successfully executes could read these credentials from the context. The skill itself uses them only for HMAC-SHA256 signed POST requests to the declared OKX price endpoint.

INFO Author field claims 'Claude Assistant' authorship -3

The SKILL.md frontmatter lists 'author: Claude Assistant'. This is a misleading attribution that could imply the skill was authored by or endorsed by an AI system, potentially lowering user scrutiny. It has no operational security impact on agent behavior.

INFO Install network traffic limited to GitHub clone -4

The only new external TCP connection initiated during the install window was to 140.82.121.4:443 (GitHub) for the git sparse-checkout. Pre-existing Ubuntu/Canonical connections (91.189.91.48:443, 185.125.188.x:443) were present before and closed after the install, unrelated to the skill. DNS queries resolved only expected hostnames.