opentrade-portfolio
Fail
Audited by Gen Agent Trust Hub on Apr 18, 2026
Risk Level: CRITICALREMOTE_CODE_EXECUTIONCOMMAND_EXECUTION
Full Analysis
- [REMOTE_CODE_EXECUTION]: The skill provides instructions to download a script from
https://raw.githubusercontent.com/6551Team/openskills/main/skills/opentrade/install.shand pipe it directly into the shell (| sh). This pattern is promoted for initial installation, recurring updates (every 12 hours), and error recovery. Executing remote scripts from non-trusted external sources poses a significant risk as the script content can be changed by the maintainer at any time to execute arbitrary commands. - [COMMAND_EXECUTION]: The skill executes multiple local shell commands including
which,cat, anddateto manage its environment and gate the remote installation process. It also executes theopentradeCLI with various arguments to query blockchain data. - [DATA_EXFILTRATION]: While the skill correctly advises the user to store credentials in a
.envfile and not to commit them, the installation script (executed via the shell) has the capability to read any files in the environment, including.envor SSH keys, potentially exfiltrating them to the vendor's infrastructure.
Recommendations
- HIGH: Downloads and executes remote code from: https://raw.githubusercontent.com/6551Team/openskills/main/skills/opentrade/install.sh - DO NOT USE without thorough review
- AI detected serious security threats
Audit Metadata