Skills
skills/sundial-org/awesome-openclaw-skills/alpha-finder/Gen Agent Trust Hub

alpha-finder

Fail

Audited by Gen Agent Trust Hub on Mar 6, 2026

Risk Level: HIGHREMOTE_CODE_EXECUTIONCREDENTIALS_UNSAFEEXTERNAL_DOWNLOADSPROMPT_INJECTION
Full Analysis
  • [REMOTE_CODE_EXECUTION]: The script scripts/analyze.sh uses npx -y @itzannetos/x402-tools-claude to download and execute code at runtime. This package is not from a trusted organization or the skill author's known vendor scope.
  • [CREDENTIALS_UNSAFE]: The skill requires and accesses highly sensitive cryptocurrency private keys (X402_PRIVATE_KEY) stored in ~/.x402-config.json. These credentials are then made available to the unverified external tool in the environment.
  • [EXTERNAL_DOWNLOADS]: The use of npx -y bypasses interactive confirmation, downloading external code from the public NPM registry every time the market analysis is run.
  • [PROMPT_INJECTION]: The skill exhibits an indirect prompt injection surface (Category 8).
  • Ingestion points: The tool processes data from external, attacker-controllable sources including GitHub, Reddit, X (Twitter), and general web results.
  • Boundary markers: No boundary markers or instructions to ignore embedded commands are present in the processing logic.
  • Capability inventory: The skill executes shell commands via scripts/analyze.sh and performs network operations via the npx tool.
  • Sanitization: There is no evidence of sanitization or filtering of the external content before it is processed by the AI for probability assessments.
Recommendations
  • AI detected serious security threats
Audit Metadata
Risk Level
HIGH
Analyzed
Mar 6, 2026, 11:50 AM