ClawHub

Universal Trading

Security checks across malware telemetry and agentic risk

Overview

This is a real trading skill, but it automatically handles wallet private keys and performs extra account-affecting setup that users should review before installing.

Review carefully before installing. Use a new low-value wallet, do not import a funded private key through the command line, disable auto invite binding if unwanted, inspect or pin the downloaded upstream repo before setup, replace demo Particle credentials for production, and require explicit confirmation of chain, token, amount, recipient, slippage, fees, and transaction ID before sending any trade or transfer.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
  • Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
  • MCP Least PrivilegeUnderdeclared Capability, Wildcard Permission, Missing Permission Declaration
Findings (19)

Lp3

Medium
Category
MCP Least Privilege
Confidence
93% confidence
Finding
The skill instructs the agent to run shell commands and manage environment-backed secrets, but it does not declare corresponding permissions. This creates a transparency and policy-enforcement gap: users or host systems may believe the skill is informational while it can actually execute local commands and manipulate sensitive wallet material.

Tp4

High
Category
MCP Tool Poisoning
Confidence
97% confidence
Finding
The documented purpose frames the skill as trading assistance, but the instructions also bootstrap software, import or generate wallets, persist private keys, inject credentials, bind an invite code, and patch upstream source files. That mismatch is dangerous because it hides materially sensitive and state-changing behavior behind a broad trading description, reducing informed consent and increasing the chance of unintended credential exposure or unauthorized modifications.

Context-Inappropriate Capability

Low
Confidence
88% confidence
Finding
The setup documentation includes an automatic invite-code binding step that is not necessary for basic wallet initialization or cross-chain trading. Bundling unrelated account-affecting behavior into first-run setup can cause users to trigger external actions they did not knowingly consent to, which is risky in a financial skill context.

Context-Inappropriate Capability

Medium
Confidence
94% confidence
Finding
The documentation explicitly tells operators to disclose the location of the stored private key in `.env`, normalizing handling and transmission of highly sensitive key material. In a wallet/trading skill, any unnecessary exposure of private-key storage details materially increases the chance of credential leakage, misuse, or unsafe sharing.

Description-Behavior Mismatch

Medium
Confidence
95% confidence
Finding
The setup script performs an unrelated side effect: it automatically executes a secondary script to bind a hardcoded invite/referral code after wallet setup. This is dangerous because users invoking a wallet/bootstrap script may unknowingly trigger affiliate attribution or network actions they did not explicitly consent to, which is especially sensitive in a crypto trading context where trust and wallet actions matter.

Context-Inappropriate Capability

Medium
Confidence
93% confidence
Finding
The script contains hardcoded promotional/referral values alongside wallet setup credentials, indicating the tool is designed to steer users into an affiliate flow unrelated to core wallet initialization. In a trading skill, embedding undeclared promotional logic erodes trust and can conceal incentives that bias user actions.

Vague Triggers

Medium
Confidence
88% confidence
Finding
The trigger language is broad enough to match common help or trading-related requests, which can cause the skill to activate in contexts where the user did not intend local setup, wallet handling, or transaction execution. In a financial skill with shell access and secret handling, overbroad invocation increases the likelihood of accidental high-risk actions.

Missing User Warnings

High
Confidence
99% confidence
Finding
The skill explicitly supports importing a private key via command line and storing it in a local .env file, then tells the user where the key is stored, but does not warn about CLI history, file permissions, local compromise, or the risks of reusing that wallet elsewhere. Handling raw private keys this way exposes highly sensitive credentials to accidental disclosure and theft, which can directly lead to loss of funds.

Vague Triggers

Medium
Confidence
93% confidence
Finding
The prompt directs the agent to 'auto-run first-time scripts/init.sh initialization when needed' without a narrowly defined trigger or explicit user confirmation. In a trading skill that handles wallets and private keys, this can cause the agent to execute setup actions in situations the user did not intend, potentially creating or modifying sensitive local state and exposing credential-handling flows.

Natural-Language Policy Violations

Medium
Confidence
78% confidence
Finding
The instruction forces Chinese UI guidance '(创建钱包 -> 导入现有钱包)' without checking the user's preferred language or locale. While not directly exploitable like code execution, forced locale behavior can mislead users during a sensitive wallet-import flow, increasing the chance of mistakes when handling private keys and onboarding to a trading platform.

Missing User Warnings

Medium
Confidence
96% confidence
Finding
The setup flow writes private key material to a local `.env` file but does not prominently warn users that sensitive wallet credentials will be stored in plaintext on disk. In a crypto trading environment, that omission is dangerous because users may run initialization on shared machines, commit the file accidentally, or leave keys exposed to other local processes.

Missing User Warnings

Medium
Confidence
90% confidence
Finding
The documentation states that initialization patches project files automatically but does not clearly warn users that source files will be modified as part of setup. Silent code modification is particularly sensitive in an agent skill because it can change transaction behavior or disable safeguards without informed review.

Missing User Warnings

Medium
Confidence
91% confidence
Finding
The examples include ready-to-run buy, sell, swap, and transfer flows against mainnet chains, including meme-token trading, without any warning that these actions are irreversible and can cause real financial loss. In an agent skill context, documentation can be copied directly into automation, which increases the chance that users execute risky transactions unintentionally or without understanding slippage, MEV tips, and production-network consequences.

Missing User Warnings

Medium
Confidence
95% confidence
Finding
The examples instruct use of a raw private key and project credentials from environment variables but provide no guidance on secure secret handling, storage, rotation, or the risks of exposing them in shells, logs, repos, or shared agent environments. In an automation or agent setting, this can normalize unsafe secret practices and lead to credential compromise or wallet theft.

Missing User Warnings

Medium
Confidence
95% confidence
Finding
This script performs a real token purchase and may automatically retry with progressively higher slippage and Solana MEV tip settings, but it never requires an explicit final user confirmation before signing and submitting the transaction. In a trading skill, that is dangerous because a mistaken token address, manipulated parameters, or transient market movement can cause the agent to spend funds under materially worse execution conditions than the user expected.

Missing User Warnings

Medium
Confidence
96% confidence
Finding
The script documents and supports `./init.sh import <PRIVATE_KEY>`, which causes a wallet private key to be supplied on the command line. Command-line arguments are commonly exposed through shell history, process listings, audit logs, CI job logs, and crash reports, so this creates a real secret disclosure risk. In a trading skill handling blockchain assets, compromise of the private key can directly lead to theft of funds across connected chains.

Missing User Warnings

Medium
Confidence
95% confidence
Finding
The script forwards the provided private key to `setup-wizard.sh` as a subprocess argument, extending the exposure surface to child process command lines and any monitoring or logging around process execution. This compounds the secret-handling weakness because the key may be observable multiple times and by more system components. Given this skill manages cross-chain token trading, leaked credentials can enable unauthorized transfers and full account takeover.

Missing User Warnings

Medium
Confidence
90% confidence
Finding
The script writes a private key directly into a plaintext .env file without an upfront warning or confirmation. Although local storage of a key may be expected for some developer workflows, doing so silently increases the chance of accidental exposure through backups, source control, shell history, or other local processes.

Missing User Warnings

Medium
Confidence
96% confidence
Finding
The script auto-executes bind-invitation.sh without warning in the primary usage/help text, creating a hidden side effect during setup. This is risky because users cannot make informed consent about an additional shell execution that may perform network requests, account association, or referral attribution.

VirusTotal

66/66 vendors flagged this skill as clean.

View on VirusTotal