ClawHub

KryptoGO Meme Trader

Security checks across malware telemetry and agentic risk

Overview

This is a disclosed crypto trading skill, but its default monitoring path can execute live sells despite documentation saying supervised mode only notifies the user.

Install only after careful review. Use a dedicated low-value Solana wallet, do not reuse a main wallet, avoid default cron/monitor.py until the auto-sell behavior is fixed or fully understood, and keep ~/.openclaw/workspace/.env and memory/trading-*.json protected. Treat the backend shutdown notice as active: analysis-based safeguards may no longer work reliably after 2026-05-04.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
  • Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
  • Behavioral ASTexec() Call, eval() Call, Dynamic Import
Findings (19)

subprocess module call

Medium
Category
Dangerous Code Execution
Content
print(f"  {pkg} -- already installed")
        except ImportError:
            print(f"  {pkg} -- installing...")
            subprocess.check_call(
                [sys.executable, "-m", "pip", "install", pkg],
                stdout=subprocess.DEVNULL,
                stderr=subprocess.DEVNULL,
Confidence
96% confidence
Finding
subprocess.check_call( [sys.executable, "-m", "pip", "install", pkg], stdout=subprocess.DEVNULL, stderr=subprocess.DEVNULL, )

Tainted flow: 'HEADERS' from os.environ.get (line 64, credential/environment) → requests.post (network output)

Critical
Category
Data Flow
Content
# ---------------------------------------------------------------------------

print("\nStep 3: Submitting signed transaction...")
submit_resp = requests.post(
    f"{API_BASE}/agent/submit",
    headers=HEADERS,
    json={"signed_transaction": signed_tx_b64},
Confidence
86% confidence
Finding
submit_resp = requests.post( f"{API_BASE}/agent/submit", headers=HEADERS, json={"signed_transaction": signed_tx_b64}, )

Description-Behavior Mismatch

Medium
Confidence
92% confidence
Finding
The script continues to depend on a backend explicitly documented as shutting down, including analysis, portfolio, and swap-related paths. In a trading skill, stale or unavailable infrastructure can cause failed checks, degraded risk controls, misleading outputs, or unsafe automation decisions when protections silently stop working.

Description-Behavior Mismatch

High
Confidence
98% confidence
Finding
The script is presented as a cron-based discovery scan, but it dynamically loads a trading workflow and can execute live swaps automatically every 30 minutes. In a trading skill context, this is especially dangerous because analysis/discovery automation crossing into autonomous fund-moving behavior can cause repeated unintended trades, losses, or abuse without an operator present.

Intent-Code Divergence

Medium
Confidence
86% confidence
Finding
The code returns a fabricated success-like object with placeholder tx_hash and explorer_url values instead of the real transaction result, despite comments implying compatibility with expected transaction semantics. This can mislead upstream logic into believing a trade succeeded, breaking auditability, error handling, reconciliation, and potentially triggering follow-on actions on false assumptions.

Context-Inappropriate Capability

Medium
Confidence
85% confidence
Finding
This monitoring script crosses from observation into autonomous execution by spawning a trade script when heuristic triggers fire. In a trading skill, that makes mistakes or manipulated upstream data materially dangerous because a read-only monitor can now sell assets without an explicit human approval step.

Intent-Code Divergence

Medium
Confidence
93% confidence
Finding
The security comments are materially misleading because the code signs an opaque transaction supplied by the server and returns the signed result for broadcast. While the private key is not transmitted, the server can still potentially induce unauthorized or harmful actions if the client does not verify what is being signed.

Missing User Warnings

Medium
Confidence
96% confidence
Finding
The discovery pipeline can automatically buy a token and submit a signed transaction without an explicit user confirmation step. In a high-risk meme-coin trading context, autonomous execution materially increases the chance of unauthorized or unintended financial loss if analysis is wrong, APIs are compromised, or token data is manipulated.

Missing User Warnings

Medium
Confidence
95% confidence
Finding
The exit path can automatically sell or reduce positions without a mandatory confirmation from the user. Because this code controls real assets, an erroneous signal, manipulated market data, or service malfunction could trigger unwanted liquidation and irreversible losses.

Missing User Warnings

Medium
Confidence
89% confidence
Finding
The skill instructs persistent logging of detailed trade history, reasoning, and outcomes into memory files without any guidance on retention limits, redaction, access controls, or user consent. In an autonomous trading context, these files can accumulate sensitive financial behavior data that may be exposed to other skills, operators, backups, or future prompts, creating privacy and profiling risk.

Missing User Warnings

High
Confidence
97% confidence
Finding
This cron job can execute real trades automatically every five minutes based on portfolio conditions, with no interactive confirmation, secondary approval, or dry-run safeguard. In a trading skill, that is especially dangerous because asset swaps are irreversible and a logic error, bad data feed, or manipulated input can immediately cause financial loss.

Missing User Warnings

High
Confidence
99% confidence
Finding
The cron job invokes discover_and_analyze() and may execute trades without any interactive confirmation, acknowledgement, or separate execution gate. In the context of a wallet-connected meme-coin trading skill, unattended periodic execution is highly risky because volatile assets and external signals can rapidly convert analysis bugs or manipulated inputs into real financial loss.

Missing User Warnings

Medium
Confidence
95% confidence
Finding
The script automatically executes sells based on external API data and local heuristics with no interactive confirmation, no rate limiting, and no secondary safety checks. In this skill context that is especially dangerous because false positives, backend errors, or manipulated cluster signals can directly trigger irreversible asset liquidation.

Missing User Warnings

Medium
Confidence
83% confidence
Finding
The script sends a wallet address together with an authenticated API request to a third-party service, exposing portfolio metadata and linking the user's identity or wallet activity to that provider. In a trading skill, this data flow is functionally expected, but the lack of explicit runtime notice or consent increases privacy and operational risk, especially because the backend is remote and handles sensitive financial information.

External Transmission

Medium
Category
Data Exfiltration
Content
# ---------------------------------------------------------------------------

print("\nStep 3: Submitting signed transaction...")
submit_resp = requests.post(
    f"{API_BASE}/agent/submit",
    headers=HEADERS,
    json={"signed_transaction": signed_tx_b64},
Confidence
84% confidence
Finding
requests.post( f"{API_BASE}/agent/submit", headers=HEADERS, json=

Env Variable Harvesting

High
Category
Data Exfiltration
Content
API_BASE = "https://wallet-data.kryptogo.app"
API_KEY = os.environ.get("KRYPTOGO_API_KEY")
WALLET = os.environ.get("SOLANA_WALLET_ADDRESS")
PRIVATE_KEY = os.environ.get("SOLANA_PRIVATE_KEY")

SOL_MINT = "So11111111111111111111111111111112"
Confidence
88% confidence
Finding
os.environ.get("SOLANA_PRIVATE_KEY

Autonomous Decision Making

Medium
Category
Excessive Agency
Content
### Default Mode: Supervised

By default, the agent operates in **supervised mode**: it analyzes tokens, presents recommendations, and waits for user approval before executing any trade. Stop-loss/take-profit conditions are reported to the user but not auto-executed.

To enable autonomous trading, set `require_trade_confirmation: false` in preferences. See `references/autonomous-trading.md` for full details.
Confidence
89% confidence
Finding
auto-execute

Credential Access

High
Category
Privilege Escalation
Content
network:
        - wallet-data.kryptogo.app
      permissions:
        - filesystem:write:~/.openclaw/workspace/.env
        - filesystem:write:~/.openclaw/workspace/memory/
      runtime_installs:
        - "pip: solders, requests (installed by scripts/setup.py on first run)"
Confidence
92% confidence
Finding
.env

Credential Access

High
Category
Privilege Escalation
Content
source ~/.openclaw/workspace/.env && bash scripts/cron-examples.sh setup-default

# Autonomous mode (opt-in): auto-buys and auto-sells
source ~/.openclaw/workspace/.env && bash scripts/cron-examples.sh setup-autonomous

# Remove all cron jobs
bash scripts/cron-examples.sh teardown
Confidence
94% confidence
Finding
.env

VirusTotal

66/66 vendors flagged this skill as clean.

View on VirusTotal