Beta TA Paper Executor

Security checks across malware telemetry and agentic risk

Overview

This skill locally records simulated trades and does not appear to access live brokerage accounts, credentials, or the network.

Before installing, understand that paper-trade symbols, quantities, prices, and rationale notes will be stored locally by default under ~/.openclaw/workspace-papertrader/journal/paper-orders.jsonl. Avoid putting secrets or sensitive strategy notes into trade rationale fields, and use an explicit ledger path if you want tighter separation.

SkillSpector

By NVIDIA

Vulnerability Patterns

MCP Least PrivilegeUnderdeclared Capability, Wildcard Permission, Missing Permission Declaration
Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code

Findings (1)

Lp3

Medium

Category: MCP Least Privilege
Confidence: 88% confidence
Finding: The skill invokes a local Python script that appears to maintain a JSONL trade ledger, which implies filesystem read/write access, but the skill declares no permissions. Undeclared file capabilities create a trust and containment gap: users and orchestrators cannot accurately assess what resources the skill may modify, and a compromised or buggy script could read or overwrite local files outside the intended ledger path.

VirusTotal

66/66 vendors flagged this skill as clean.

View on VirusTotal