Skills
skills/sundial-org/awesome-openclaw-skills/alpha-finder/Snyk

alpha-finder

Fail

Audited by Snyk on Mar 6, 2026

Risk Level: CRITICAL
Full Analysis

CRITICAL E006: Malicious code pattern detected in skill scripts.

  • Malicious code pattern detected (high risk: 0.90). The script asks users to supply a wallet private key (via env or plaintext file) then automatically downloads and executes a remote npm package with npx (-y), creating a high-risk supply-chain and credential-exfiltration vector that can be used for fund theft or remote code execution even though no explicit malicious payload appears in the checked-in script itself.

MEDIUM W011: Third-party content exposure detected (indirect prompt injection risk).

  • Third-party content exposure detected (high risk: 1.00). The skill's SKILL.md and Usage sections explicitly state the tool automatically searches and ingests content from open/public sources such as the web, GitHub, Reddit, and X/Twitter (e.g., "Searches web, GitHub, Reddit, and X" and "Data Sources" in SKILL.md), meaning untrusted third-party/user-generated content is read and used to drive AI analyses and decisions.

MEDIUM W012: Unverifiable external dependency detected (runtime URL that controls agent).

  • Potentially malicious external URL detected (high risk: 0.90). The skill invokes runtime fetching/execution via "npx -y @itzannetos/x402-tools-claude" (npm package fetched from the npm registry, e.g. https://registry.npmjs.org/@itzannetos/x402-tools-claude), which downloads and runs remote code that controls the agent's analysis flow and is required for the skill to operate.

MEDIUM W009: Direct money access capability detected (payment gateways, crypto, banking).

  • Direct money access detected (high risk: 1.00). The skill explicitly requires and uses a private key (via environment variable or x402-config.json) and performs payment handling on the Base network: "Costs $0.03 USDC per request via x402 protocol", "Payment failed: Not enough USDC" and "X402 private key missing" error handling. Requiring a wallet private key and performing USDC payments implies the skill signs/sends blockchain transactions (wallet operations). This is a specific crypto/blockchain financial execution capability (wallet signing/payments), so it grants direct financial execution authority.
Audit Metadata
Risk Level
CRITICAL
Analyzed
Mar 6, 2026, 11:50 AM