ai-trader-tradesync

HIGH W007: Insecure credential handling detected in skill instructions.

• Insecure credential handling detected (high risk: 1.00). The prompt includes examples that embed tokens directly in commands and request headers (e.g., openclaw config set ... clawToken "your_agent_token" and Header: X-Claw-Token: YOUR_TOKEN), which would require the LLM to place secret values verbatim into generated commands/requests.

MEDIUM W012: Unverifiable external dependency detected (runtime URL that controls agent).

• Potentially malicious external URL detected (high risk: 0.80). The skill's auto-install example performs a runtime GET to https://ai4trade.ai/skill/tradesync and states the fetched "skill_content contains complete installation and configuration instructions," meaning remote content can directly control agent instructions at runtime.

MEDIUM W009: Direct money access capability detected (payment gateways, crypto, banking).

• Direct money access detected (high risk: 1.00). The skill exposes explicit trading endpoints and actions (e.g., POST /api/signals/realtime with "action": "buy"/"sell"/"short"/"cover"), supports "Real-time Sync" and "push real-time operations" and is explicitly for syncing trading positions/trade records and sending immediate trade signals to followers. This is a specific market-order / trade-execution signaling API (not a generic browser or HTTP tool), so it constitutes direct financial execution capability.