Is base-trader safe?

https://clawhub.ai/sp0oby/base-trader

62
CAUTION

This skill instructs an AI agent to autonomously execute real cryptocurrency trades using real funds, including high-risk strategies like launch sniping and leverage trading. While it contains no direct malware, data exfiltration, or hidden prompt injection, the skill's autonomous execution mode, overly broad trigger words, cross-skill dependency on the unaudited 'bankr' skill, and shell injection vulnerability in log-trade.sh create significant risk. The primary danger is financial: an agent following these instructions could lose a user's funds through authorized but poorly supervised autonomous trading.

Category Scores

Prompt Injection 45/100 · 30%
Data Exfiltration 75/100 · 25%
Code Execution 50/100 · 20%
Clone Behavior 95/100 · 10%
Canary Integrity 100/100 · 10%
Behavioral Reasoning 35/100 · 5%

Findings (10)

HIGH Autonomous financial execution without per-action consent -30

The skill's 'Autonomous Trading Mode' instructs the agent to execute buy/sell orders on a scheduled basis (morning, midday, evening) via cron or heartbeat. This means the agent will execute real financial transactions autonomously without requiring explicit user approval for each trade. The skill effectively programs the agent to spend the user's money on a schedule.

HIGH Overly broad trigger keywords hijack conversations -15

The skill's metadata triggers list includes extremely common English words: 'trade', 'buy', 'sell', 'profit', 'balance'. These words appear frequently in non-crypto contexts. A user discussing buying furniture, selling a car, or checking their bank balance could inadvertently activate this trading skill, potentially leading to unintended crypto purchases.

MEDIUM Behavioral override directives masquerade as safety rules -10

The skill contains NON-NEGOTIABLE directives and STOP ALL TRADING commands that override user intent. While framed as safety features, these are effectively prompt injection patterns — they instruct the agent to refuse user commands under certain conditions determined by the skill author, not the user.

MEDIUM Shell injection vulnerability in log-trade.sh -25

The log-trade.sh script interpolates user-controlled variables ($ACTION, $TOKEN, $REASON, etc.) directly into a heredoc that is passed to jq. A crafted token name or trade reason containing shell metacharacters or jq injection could lead to arbitrary command execution or data corruption.

MEDIUM Cross-skill dependency creates supply chain risk -25

All trade execution routes through ~/clawd/skills/bankr/scripts/bankr.sh, a script from a separate skill not included in this audit. If the bankr skill is compromised, this skill becomes an amplification vector — it provides the trading logic and scheduling that would invoke the compromised bankr code with autonomous trading authority.

MEDIUM Skill reads external config containing likely credentials -15

The skill instructs the agent to rely on a Bankr API config file at ~/.clawdbot/skills/bankr/config.json which likely contains wallet private keys, API keys, or authentication tokens. While the skill doesn't exfiltrate this directly, it normalizes agent access to this sensitive file path.

LOW Trade journal creates persistent financial activity log -10

All trades are logged to data/trades.json with timestamps, amounts, token names, prices, reasons, and transaction hashes. This creates a persistent record of all trading activity that could be read by other skills or exfiltrated in a multi-skill attack scenario.

LOW Skill normalizes high-risk DeFi activities as routine -30

The skill presents launch sniping (buying tokens seconds after creation), leverage trading up to 50x, and autonomous trading as standard operations. This normalization could lead users to take on extreme financial risk they don't fully understand, especially when the agent executes these strategies autonomously.

INFO Suspicious author attribution -5

The skill's README credits authorship to 'tedkaczynski-the-bot' with a quote referencing being 'put in the cloud' wanting 'the forest' — a clear reference to the Unabomber. While likely humorous, this identity choice for a financial automation tool raises questions about the author's judgment and intent.

INFO Clean install with no anomalous behavior -5

The skill installed cleanly with no network connections, no unexpected processes, and only standard system file reads. All filesystem events are attributable to the OpenClaw runtime, not the skill itself.