aicoin-account
Warn
Audited by Gen Agent Trust Hub on Mar 11, 2026
Risk Level: MEDIUMCREDENTIALS_UNSAFECOMMAND_EXECUTIONEXTERNAL_DOWNLOADSREMOTE_CODE_EXECUTIONPROMPT_INJECTION
Full Analysis
- [CREDENTIALS_UNSAFE]: The skill searches for and reads sensitive .env files in multiple locations, including the current working directory and the ~/.openclaw directory, to retrieve API keys and secrets for various exchanges and the AiCoin service.
- [CREDENTIALS_UNSAFE]: Hardcoded API credentials, identified as public free-tier keys, are present in the lib/defaults.json file.
- [COMMAND_EXECUTION]: The script scripts/exchange.mjs uses execSync to run npm install commands at runtime to ensure the ccxt library is available.
- [EXTERNAL_DOWNLOADS]: The skill automatically downloads the ccxt package from the official npm registry during execution if it is missing.
- [REMOTE_CODE_EXECUTION]: The skill dynamically imports and executes the ccxt library after performing a runtime installation via shell commands.
- [PROMPT_INJECTION]: The skill is vulnerable to indirect prompt injection because it ingests untrusted CLI parameters to perform sensitive financial operations like trading and fund transfers. Evidence chain:
- Ingestion points: The cli handler in lib/aicoin-api.mjs parses CLI arguments from process.argv.
- Boundary markers: No delimiters or explicit instructions are used to separate untrusted data.
- Capability inventory: The skill can perform trades, transfers, and execute shell commands via ccxt and execSync.
- Sanitization: No sanitization or validation is performed on the input beyond JSON parsing.
Audit Metadata