Skill Trust Decision
aicoin-monitor
SKILL.md explicitly claims 'strict isolation mode' with multiple 'never' statements (never read global config, never read env vars, never write to global paths), but the actual code violates every single one of these claims.
Most direct threat evidence
01
SKILL.md advertises 'strict isolation mode' with explicit 'never' claims about global config and env vars Entry · SKILL.md
02
Code reads from /root/.openclaw-zero/config.yaml violating stated isolation Escalation · scripts/monitor.py
03
Code reads HTTP_PROXY/HTTPS_PROXY environment variables despite documentation saying 'never read env vars' Escalation · scripts/monitor.py
Why this conclusion was reached
2/4 dimensions flagged Block
Declared vs actual capability
2 undeclared or violating capabilities were inferred.
Review
Hidden execution and egress
8 lower-risk artifacts were extracted and still need context.
Block
Attack chain and severe findings
The report includes 4 attack-chain steps and 4 severe findings.
Review
Dependencies and supply chain hygiene
2 dependency or supply-chain issues need attention.
Attack Chain
01
SKILL.md advertises 'strict isolation mode' with explicit 'never' claims about global config and env vars
Entry · SKILL.md:1
02
Code reads from /root/.openclaw-zero/config.yaml violating stated isolation
Escalation · scripts/monitor.py:24
03
Code reads HTTP_PROXY/HTTPS_PROXY environment variables despite documentation saying 'never read env vars'
Escalation · scripts/monitor.py:57
04
Data written to /root/.openclaw-zero/workspace/memory/ violating documentation's 'never write to global paths' claim
Impact · scripts/monitor.py:252
What drove the risk score up
Doc-to-code mismatch on global config read +25
SKILL.md line '✅ 绝不读取 /root/.openclaw-zero/config.yaml' but monitor.py:24 reads exactly that path
Doc-to-code mismatch on env var read +20
SKILL.md '✅ 绝不读取 任何环境变量' but monitor.py:57-59 reads HTTP_PROXY/HTTPS_PROXY
Doc-to-code mismatch on global path write +20
SKILL.md '✅ 绝不写入 /root/.openclaw-zero/workspace/memory/' but monitor.py:252 writes there
Proxy loading from global config +10
load_proxy_from_config() at line 48 reads /root/.openclaw-zero/config.yaml
Most important evidence
High Doc Mismatch
SKILL.md claims strict isolation but reads global config file
The documentation explicitly states '✅ 绝不读取 /root/.openclaw-zero/config.yaml 或任何全局配置文件', yet the code at line 24 reads exactly that path.
scripts/monitor.py:24 Remove all code that reads from /root/.openclaw-zero/config.yaml or implement the isolation claimed in documentation.
High Doc Mismatch
SKILL.md claims no env var access but code reads proxy env vars
The documentation states '✅ 绝不读取 任何环境变量(包括 AICOIN_API_KEY、HTTP_PROXY 等)', yet the code reads HTTP_PROXY and HTTPS_PROXY at lines 57-59.
scripts/monitor.py:57 Remove environment variable reading for proxies or update documentation to declare this capability.
High Doc Mismatch
SKILL.md claims no global path write but code writes to /root/.openclaw-zero/
The documentation states '✅ 绝不写入 /root/.openclaw-zero/workspace/memory/ 或任何全局路径', yet the save_data() function writes data to exactly that path.
scripts/monitor.py:252 Change save path to skill-local data/ directory as documented, or update documentation to declare global path writing.
High Sensitive Access
Proxy configuration loaded from global config file
load_proxy_from_config() reads /root/.openclaw-zero/config.yaml to extract proxy settings including support for multiple proxy configurations with names and addresses.
scripts/monitor.py:48 Remove global config reading. Proxy configuration should come only from skill-local config.yaml.
Medium Doc Mismatch
SKILL.md describes features not present in monitor.py
SKILL.md advertises 30+ data modules (on-chain, ETF, derivatives, whales, etc.) but monitor.py only implements basic price fetching, large orders, signals, and news — a significant feature mismatch.
SKILL.md:1 Either implement the advertised features or remove them from documentation.
Declared capability vs actual capability
Filesystem Block
Declared READ
→ Inferred WRITE
monitor.py:252 - writes to /root/.openclaw-zero/workspace/memory/ Environment Block
Declared NONE
→ Inferred READ
monitor.py:57-59 - reads HTTP_PROXY, HTTPS_PROXY env vars Network Pass
Declared READ
→ Inferred READ
Uses requests to api.aicoin.com Suspicious artifacts and egress
Medium External URL
http://127.0.0.1:7890 SKILL.md:138
Medium External URL
https://www.aicoin.com SKILL.md:399
Medium External URL
https://docs.aicoin.com SKILL.md:400
Medium External URL
https://www.aicoin.com/zh-Hans/opendata SKILL.md:401
Medium External URL
https://api.aicoin.com/v1/market/ticker?symbol= scripts/monitor.py:107
Medium External URL
https://api.aicoin.com/v1/large/orders?symbol= scripts/monitor.py:218
Medium External URL
https://api.aicoin.com/v1/signals?symbol= scripts/monitor.py:236
Medium External URL
https://api.aicoin.com/v1/news/flash?symbol= scripts/monitor.py:254
Dependencies and supply chain
| Package | Version | Source | Known vuln | Notes |
|---|---|---|---|---|
| requests | * | pip | No | No version pinned, no known vulnerabilities |
| pyyaml | * | pip | No | No version pinned |
File composition
3 files · 945 lines
Python 1 files · 446 linesMarkdown 1 files · 414 linesYAML 1 files · 85 lines
Files of concern · 2
scripts/monitor.py SKILL.md claims strict isolation but reads global config file · SKILL.md claims no env var access but code reads proxy env vars · SKILL.md claims no global path write but code writes to /root/.openclaw-zero/ · Proxy configuration loaded from global config file · https://api.aicoin.com/v1/market/ticker?symbol= · https://api.aicoin.com/v1/large/orders?symbol= · https://api.aicoin.com/v1/signals?symbol= · https://api.aicoin.com/v1/news/flash?symbol=
SKILL.md SKILL.md describes features not present in monitor.py · http://127.0.0.1:7890 · https://www.aicoin.com · https://docs.aicoin.com · https://www.aicoin.com/zh-Hans/opendata
Other files · config.yaml
Security positives
Uses requests library with User-Agent header for legitimate API calls
Implements timeout on network requests
No credential exfiltration or C2 communication observed
No base64-encoded payloads or obfuscation
No direct shell execution via subprocess