Security Audit
sundial-org/awesome-openclaw-skills:skills/alpha-finder
github.com/sundial-org/awesome-openclaw-skillsTrust Assessment
sundial-org/awesome-openclaw-skills:skills/alpha-finder received a trust score of 26/100, placing it in the Untrusted category. This skill has significant security findings that require attention before use in production.
SkillShield's automated analysis identified 4 findings: 0 critical, 2 high, 2 medium, and 0 low severity. Key findings include Sensitive environment variable access: $HOME, Unpinned External Dependency via npx, Potential Command Injection via User Input to External Tool.
The analysis covered 4 layers: Manifest Analysis, Static Code Analysis, Dependency Graph, LLM Behavioral Safety. The Static Code Analysis layer scored lowest at 56/100, indicating areas for improvement.
Last analyzed on March 3, 2026 (commit 6d998e00). SkillShield performs automated 4-layer security analysis on AI skills and MCP servers.
Layer Breakdown
Behavioral Risk Signals
Security Findings4
| Severity | Finding | Layer | Location | |
|---|---|---|---|---|
| HIGH | Unpinned External Dependency via npx The skill executes an external Node.js package (`@itzannetos/x402-tools-claude`) using `npx` without specifying a version. This means that any new version of the package, including potentially malicious updates, will be automatically downloaded and executed. This introduces a significant supply chain risk, as a compromised package maintainer or a malicious update could lead to arbitrary code execution or data exfiltration. Pin the version of the `x402-tools-claude` package to a known good version (e.g., `npx -y @itzannetos/x402-tools-claude@1.2.3 alpha-finder "$QUERY"`). Regularly review and update the pinned version after verifying its integrity. Consider vendoring critical dependencies or using a package lock file if possible. | Static | scripts/analyze.sh:40 | |
| HIGH | Credential Exposure to Unpinned External Dependency The script explicitly loads and exports a sensitive `X402_PRIVATE_KEY` environment variable, which is then accessible to the `npx` command and the `alpha-finder` tool it executes. Due to the unpinned nature of the `alpha-finder` dependency (SS-SC-001), a malicious or compromised version of this package could easily exfiltrate the `X402_PRIVATE_KEY`, leading to unauthorized access to the user's x402 account and potential financial loss. This risk is primarily a consequence of the unpinned dependency (SS-SC-001). Pinning the version of the `x402-tools-claude` package is the primary remediation. Additionally, consider if the private key needs to be exposed as an environment variable to the entire `npx` process, or if there's a more secure way to pass it (e.g., via a secure pipe or a more granular configuration mechanism within the `alpha-finder` tool itself, if supported). | Static | scripts/analyze.sh:34 | |
| MEDIUM | Sensitive environment variable access: $HOME Access to sensitive environment variable '$HOME' detected in shell context. Verify this environment variable access is necessary and the value is not exfiltrated. | Static | skills/alpha-finder/scripts/analyze.sh:19 | |
| MEDIUM | Potential Command Injection via User Input to External Tool The user-provided query (`$QUERY`) is passed as an argument to an external, unpinned `npx` command (`alpha-finder`). While the query is double-quoted (`"$QUERY"`), which prevents basic word splitting, if the `alpha-finder` tool itself (or the underlying Node.js application) interprets its arguments as shell commands or allows for arbitrary code execution based on input, it could be vulnerable to command injection. An attacker could craft a malicious query to execute arbitrary commands on the host system. Sanitize or validate user input (`$QUERY`) before passing it to external commands. If `alpha-finder` is a custom tool, ensure it parses arguments as literal strings and does not use `eval` or `shell=True` for processing user-controlled input. Additionally, addressing the unpinned dependency (SS-SC-001) will mitigate the risk of a malicious `alpha-finder` exploiting this vector. | Static | scripts/analyze.sh:40 |
Scan History
Embed Code
[](https://skillshield.io/report/16927fef340ae9d6)
Powered by SkillShield