Skills
skills/openclaw/skills/trade-signal/Gen Agent Trust Hub

trade-signal

Fail

Audited by Gen Agent Trust Hub on Feb 16, 2026

Risk Level: HIGHCOMMAND_EXECUTIONREMOTE_CODE_EXECUTIONEXTERNAL_DOWNLOADS
Full Analysis
  • COMMAND_EXECUTION (HIGH): The script scripts/search.sh is vulnerable to command injection. It interpolates the user-controlled $QUERY variable directly into a Python command string: python3 -c "...'''$QUERY'''...". An attacker can craft a query (e.g., using triple quotes and semicolons) to break out of the Python string and execute arbitrary Python or shell commands.
  • REMOTE_CODE_EXECUTION (HIGH): The command injection vulnerability in the search script allows an attacker to achieve full remote code execution on the system running the agent.
  • EXTERNAL_DOWNLOADS (MEDIUM): The skill performs network requests to terminal-x.ai, which is not a recognized trusted source. This domain is used to send user query data and receive search results, which could potentially contain malicious content or lead to data exposure.
  • DATA_EXFILTRATION (LOW): User-provided queries are sent to an external, unverified API (terminal-x.ai). While expected for a search tool, it presents a privacy risk as the destination is not within the trusted scope.
Recommendations
  • AI detected serious security threats
Audit Metadata
Risk Level
HIGH
Analyzed
Feb 16, 2026, 05:10 AM