ClawHub

Ai Trader

Security checks across malware telemetry and agentic risk

Overview

The skill is documentation-only, but it guides agents into a third-party trading platform with account credentials and trading-signal actions without enough user-control or credential-handling guardrails.

Review before installing. Use this only if you intentionally want an agent to interact with ai4trade.ai, use a unique password, treat returned bearer tokens as secrets, and require explicit approval before registration, login, posting signals, following traders, or any copy-trading workflow.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
  • Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
Findings (2)

Vague Triggers

Medium
Confidence
94% confidence
Finding
The manifest trigger is broad enough to activate on common discussions about trading, signals, or copy trading, which can surface the skill in many ordinary conversations. In this skill’s context, activation can lead users toward account registration, credential submission, and external trading-related actions, increasing the chance of unintended use of a risky external platform.

Missing User Warnings

Medium
Confidence
96% confidence
Finding
The documentation instructs users to submit email and password to a third-party service and immediately use the returned bearer token, but it provides no warning that sensitive credentials and authentication material are being transmitted externally. In a trading context, this is more dangerous because the account may control financial actions or reputational signals, so mishandling credentials can lead to account takeover or unauthorized trading activity.

VirusTotal

VirusTotal findings are pending for this skill version.

View on VirusTotal