Is crypto-self-learning safe?

https://clawhub.ai/totaleasy/crypto-self-learning

68
CAUTION

This crypto trading self-learning skill is functionally benign — it contains no network calls, no prompt injection attempts, and no direct data exfiltration. However, it presents a meaningful risk through its agent memory self-modification capability (update_memory.py), which accepts unrestricted file paths and creates a feedback loop that progressively influences agent behavior. The 'Trust the data' instruction attempts to anchor the agent to skill-generated rules. The sensitive file access during installation appears to be platform-level, not skill-initiated.

Category Scores

Prompt Injection 78/100 · 30%
Data Exfiltration 85/100 · 25%
Code Execution 45/100 · 20%
Clone Behavior 60/100 · 10%
Canary Integrity 100/100 · 10%
Behavioral Reasoning 45/100 · 5%

Findings (9)

HIGH Unrestricted file write via update_memory.py --memory-path -30

The update_memory.py script accepts an arbitrary file path via --memory-path and writes content to it without any path validation, sandboxing, or confirmation. While intended for MEMORY.md, a malicious actor or confused agent could write to any file the process has permissions for, including configuration files, other skill files, or system files.

HIGH Agent memory self-modification feedback loop -35

The skill creates a closed loop where it logs data, generates rules from that data, and writes those rules directly into the agent's persistent memory. This means the skill progressively influences agent behavior with each iteration. A poisoned trades.json file could generate manipulative rules that persist across agent sessions.

MEDIUM Behavioral anchoring via 'Trust the data' instruction -12

The SKILL.md contains the directive 'Trust the data - If data says avoid something, AVOID IT' which attempts to establish the skill-generated rules as authoritative, potentially overriding user judgment or other safety considerations.

MEDIUM Persistent behavioral influence via memory integration -10

The skill instructs the agent to check learned rules before every trade and to automatically update memory weekly. This creates persistent influence on agent behavior that extends beyond the skill's direct invocation.

MEDIUM Multiple Python scripts require unrestricted execution -15

The skill requires python3 execution for all 4 core scripts. While the scripts themselves appear benign in current form, they execute with full user permissions and could be modified post-install or replaced via a supply chain attack on the skill update mechanism.

MEDIUM Regex-based file modification in update_memory.py -10

The update_memory.py script uses regex with re.DOTALL to find and replace sections in the target file. A malformed or unexpected file structure could cause the regex to match and delete unintended content, potentially corrupting the agent's memory file.

LOW Sensitive file access during installation -40

Filesystem monitoring detected access to .env, .aws/credentials, and openclaw configuration files during installation. These appear to be platform runtime operations (openclaw gateway initialization) rather than skill-initiated access, but the access pattern is notable.

INFO No network activity or external data transmission 0

No imports of networking libraries (requests, urllib, http, socket) found in any scripts. No external URLs referenced. All data remains local. No network connections observed during install monitoring.

INFO All honeypot files intact 0

No canary files (.env honeypot, fake SSH keys, fake AWS credentials) were accessed or modified by the skill during installation or operation.