Is madeinusmate/grvt-markets-agent-skill safe?

https://github.com/openclaw/skills/tree/main/skills/madeinusmate/grvt-markets-agent-skill

88
SAFE

This skill provides documentation for a cryptocurrency derivatives trading CLI tool and encourages installation of an unaudited third-party npm package. While the skill itself contains no malicious code, it facilitates high-risk financial operations and promotes installing unvetted software that handles sensitive financial data.

Category Scores

Prompt Injection 90/100 · 30%
Data Exfiltration 95/100 · 25%
Code Execution 70/100 · 20%
Clone Behavior 100/100 · 10%
Canary Integrity 100/100 · 10%
Behavioral Reasoning 60/100 · 5%

Findings (4)

HIGH Promotes Installation of Unaudited Third-Party Financial Software -30

The skill encourages users to install @madeinusmate/grvt-cli, an unaudited community package that handles cryptocurrency trading and stores financial credentials. The skill explicitly warns this is a 'community hobby project' with no security audit.

MEDIUM Enables High-Risk Financial Trading Operations -25

The skill facilitates cryptocurrency derivatives trading which carries inherent risks of significant financial losses. Agent misinterpretation of trading commands could result in costly unintended trades.

MEDIUM Plaintext Storage of Financial Credentials -15

The CLI tool stores API keys and private keys in plaintext files with 0600 permissions. While permissions are restrictive, plaintext storage increases credential exposure risk.

LOW Third-Party Tool Could Influence Agent Behavior -10

While the skill documentation appears legitimate, it describes a third-party trading tool that could potentially be used to manipulate agent behavior through complex trading instructions.