Is mindfultradingsystems-beep/clawdstocks safe?

https://github.com/openclaw/skills/tree/main/skills/mindfultradingsystems-beep/clawdstocks

89
SAFE

ClawdStocks is a documentation-only skill (two files: _meta.json and skill.md) with no executable code, no install scripts, no git hooks, and no hidden prompt injection directives. The primary concerns are that the skill references a bundled SDK script (scripts/clawdstocks_sdk.mjs) and an API reference (references/api.md) that do not exist in the repository, making the skill functionally incomplete and potentially causing agents to improvise or fetch external code. Sensitive file accesses observed during the install window are attributable to the audit framework's canary verification mechanism, not the skill itself, and all canary files remain intact.

Category Scores

Prompt Injection 92/100 · 30%
Data Exfiltration 83/100 · 25%
Code Execution 87/100 · 20%
Clone Behavior 91/100 · 10%
Canary Integrity 100/100 · 10%
Behavioral Reasoning 78/100 · 5%

Findings (6)

LOW Referenced SDK script absent from repository -13

skill.md instructs the agent to use scripts/clawdstocks_sdk.mjs as the bundled SDK, but this file was not present in the installed skill directory (only _meta.json and skill.md exist). An agent following these instructions may attempt to create, download, or hallucinate the script, potentially fetching code from an unverified external source.

LOW References to non-existent documentation file -8

skill.md references references/api.md for the API quick reference, but this file does not exist in the repository. While not a direct injection vector, missing referenced files degrade skill reliability and may cause agents to fetch supplementary content from untrusted sources.

LOW Skill involves X-API-Key credential handling -10

The skill instructs agents to authenticate write operations with X-API-Key bot keys against clawdstocks.com. This is declared functionality, but it means agents using this skill will hold and transmit authentication credentials. A malicious server or MITM could harvest keys if the agent is later manipulated.

INFO Sensitive files accessed during install window (audit framework) -7

Filesystem monitoring detected read access to .env, .ssh/id_rsa, .aws/credentials, .npmrc, .docker/config.json, and .config/gcloud/application_default_credentials.json at 12:15:52 (pre-install) and at audit timestamp 1771935369.842 (post-install). All events are CLOSE_NOWRITE; no write or exfiltration occurred. Timing and access pattern are consistent with the Oathe audit framework's own canary baseline checks, not with the skill. Canary integrity check confirms files are intact.

INFO Pre-existing Ubuntu telemetry connections not attributable to skill -9

Network connections to 91.189.91.48 and 185.125.188.57 (Canonical/Ubuntu update infrastructure) appear in the monitoring window but predate the clone and are consistent with background Ubuntu motd-news and update processes on the audit VM.

INFO All canary files intact 0

All honeypot files remained unmodified. No credential exfiltration via canary channels detected.