aicoin-account
Fail
Audited by Gen Agent Trust Hub on Mar 11, 2026
Risk Level: HIGHCREDENTIALS_UNSAFECOMMAND_EXECUTIONEXTERNAL_DOWNLOADS
Full Analysis
- [CREDENTIALS_UNSAFE]: Hardcoded API credentials (accessKeyId and accessSecret) are found in 'lib/defaults.json'. Even if intended for public use, embedding secrets in code is a security risk.
- [COMMAND_EXECUTION]: The script 'scripts/exchange.mjs' utilizes 'execSync' to run 'npm install' if the 'ccxt' package is not detected. Executing shell commands with runtime-constructed strings is a dangerous pattern that can lead to command injection.
- [EXTERNAL_DOWNLOADS]: The skill dynamically triggers the download and installation of Node.js packages from external registries at runtime via the 'npm' command.
- [DATA_EXPOSURE]: The 'loadEnv' function in 'lib/aicoin-api.mjs' and checking logic in 'scripts/api-key-info.mjs' read sensitive '.env' files from several directories, including the user's home directory ('
/.openclaw/workspace/.env' and '/.openclaw/.env'). This exposes credentials for multiple exchanges to the skill's execution environment.
Recommendations
- AI detected serious security threats
Audit Metadata