gclaw-agent

HIGH W007: Insecure credential handling detected in skill instructions.

• Insecure credential handling detected (high risk: 0.80). The skill explicitly instructs/illustrates asking for and embedding API keys and private keys in commands/configs (e.g., export OPENAI_API_KEY=sk-..., TELEGRAM_BOT_TOKEN=123456:ABC-DEF, and prompts that write keys into .env/config.json), which encourages the LLM/agent to accept and emit secret values verbatim in generated commands or files.

CRITICAL E005: Suspicious download URL detected in skill instructions.

• Suspicious download URL detected (high risk: 0.80). While many links point to legitimate services (OpenAI, Discord, Telegram, localhost endpoints), the presence of a raw GitHub install.sh piped to bash and a GitHub repo from a relatively unknown org that is used to distribute a binary/installer makes this a potentially high-risk download source because executing remote scripts or unknown binaries can deliver malware or backdoors.

MEDIUM W011: Third-party content exposure detected (indirect prompt injection risk).

• Third-party content exposure detected (high risk: 1.00). The skill explicitly enables web browsing tools (web_fetch, web_search in SKILL.md and config.example.json) and connects to public channels (Telegram/Discord in the Multi-Channel Setup and gateway) and uses cron-driven scans/trading rules that act on those inputs, so it ingests arbitrary public web pages and user-generated messages which can directly influence trading decisions and tool use.

MEDIUM W009: Direct money access capability detected (payment gateways, crypto, banking).

• Direct money access detected (high risk: 1.00). Yes. The skill is explicitly a DeFi trading agent: it embeds the GDEX SDK and exposes concrete trading APIs (gdex_spot_buy, gdex_spot_sell, gdex_perp_open/close, gdex_bridge, gdex_copy_trade_*, gdex_portfolio, etc.), requires wallet private keys (CONTROL_WALLET_PRIVATE_KEY) and GDEX_API_KEY, provides CLI examples that execute buys/sells, supports autonomous scheduled trading (cron) and swarm execution, and has a Live execution mode that submits real on‑chain transactions (gated by execution.live_mode and the --yes-live flag). It also includes an Emergency Exit that cancels orders and market‑sells holdings. These are specific, purpose-built capabilities to move funds on-chain rather than generic tooling.

MEDIUM W013: Attempt to modify system services in skill instructions.

• Attempt to modify system services in skill instructions detected (high risk: 0.90). The skill includes instructions and tools that modify system state (curl|bash installer, explicit "sudo mv /usr/local/bin", shell_script runner, cron/gateway startup, self-replication/self-recoding) which encourage privileged changes to the host and potential escalation, so it should be flagged.