ClawHub
Back to skill

Security audit

Maxxit 0G Trading

Security checks across malware telemetry and agentic risk

Overview

This is a powerful live-trading skill whose core purpose is disclosed, but it has under-scoped financial authority and automation risks that users should review before installing.

Install only if you intend to grant live trading authority. Verify MAXXIT_API_URL is the legitimate Maxxit origin, use limited-purpose credentials and limited funded wallets/accounts, avoid running the strategy scripts without adding dry-run and risk limits, and do not connect Zerodha/Kite unless you understand the extra brokerage permissions.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
  • Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
  • Taint TrackingDirect Taint Flow, Variable-Mediated Taint Flow, Credential Exfiltration Chain
  • MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
Findings (13)

Tainted flow: 'MAXXIT_API_URL' from os.environ.get (line 18, credential/environment) → requests.get (network output)

Critical
Category
Data Flow
Content
log(f"Starting Volatility Breakout Bot | Market: {MARKET} | Venue: {VENUE}")
    
    # 1. Get Club Details
    club = requests.get(f"{MAXXIT_API_URL}/api/lazy-trading/programmatic/user-details", headers=session.headers).json()
    user_address = club.get("user_wallet")
    agent_address = club.get("ostium_agent_address")
Confidence
89% confidence
Finding
club = requests.get(f"{MAXXIT_API_URL}/api/lazy-trading/programmatic/user-details", headers=session.headers).json()

Tainted flow: 'MAXXIT_API_URL' from os.environ.get (line 18, credential/environment) → requests.get (network output)

Critical
Category
Data Flow
Content
log(f"Starting Mean Reversion Bot | Market: {MARKET} | Venue: {VENUE}")
    
    # 1. Get Club Details
    club = requests.get(f"{MAXXIT_API_URL}/api/lazy-trading/programmatic/user-details", headers=session.headers).json()
    user_address = club.get("user_wallet")
    agent_address = club.get("ostium_agent_address")
Confidence
95% confidence
Finding
club = requests.get(f"{MAXXIT_API_URL}/api/lazy-trading/programmatic/user-details", headers=session.headers).json()

Tainted flow: 'MAXXIT_API_URL' from os.environ.get (line 19, credential/environment) → requests.get (network output)

Critical
Category
Data Flow
Content
log(f"Starting VWAP Bot | Market: {MARKET} | Venue: {VENUE}")
    
    # 1. Get Club Details
    club = requests.get(f"{MAXXIT_API_URL}/api/lazy-trading/programmatic/user-details", headers=session.headers).json()
    user_address = club.get("user_wallet")
    agent_address = club.get("ostium_agent_address")
Confidence
84% confidence
Finding
club = requests.get(f"{MAXXIT_API_URL}/api/lazy-trading/programmatic/user-details", headers=session.headers).json()

Description-Behavior Mismatch

Medium
Confidence
90% confidence
Finding
The manifest omits substantial Zerodha and Indian equities brokerage capabilities even though later sections document authentication, portfolio access, order placement, order modification, and GTT management. Hidden or under-disclosed financial trading capability is security-relevant because users may expose brokerage credentials and authorize actions they did not expect this skill to support.

Context-Inappropriate Capability

Medium
Confidence
84% confidence
Finding
The skill expands from DEX/0G trading into direct Indian brokerage order-management, including session handling, order placement, modification, cancellation, and GTT triggers. This is scope creep into a distinct high-risk domain, increasing the chance that a user invokes real-money brokerage actions under a skill they believed was limited to crypto/DEX workflows.

Missing User Warnings

Medium
Confidence
92% confidence
Finding
The README includes natural-language prompts that can directly trigger real leveraged trades, including high-risk actions like 5x and 10x positions, without any accompanying warning that these may execute on live accounts or cause financial loss. In the context of an agent skill explicitly designed for trading execution, these examples lower the barrier to accidental or impulsive real-world trading and make unsafe use more likely.

Vague Triggers

Medium
Confidence
90% confidence
Finding
The invocation guidance uses very broad trigger phrases such as generic research, portfolio, trade decision, and automation requests. Overbroad routing can cause accidental activation of a powerful trading skill in contexts where the user did not intend to authorize market actions or external API use.

Missing User Warnings

Medium
Confidence
86% confidence
Finding
The skill describes opening leveraged perpetual futures positions and automated strategy execution without prominent user-facing risk disclosures or irreversible-action warnings near the execution guidance. In a financial trading context, missing friction and warnings increase the chance of impulsive or misunderstood high-loss actions.

Missing User Warnings

High
Confidence
86% confidence
Finding
The bot performs network calls and can place trades without any explicit confirmation, dry-run mode, or user warning. In a trading skill, undisclosed order placement is materially risky because users may execute live leveraged positions simply by running the script, leading to financial loss if the bot is misconfigured or triggered unexpectedly.

Missing User Warnings

Medium
Confidence
94% confidence
Finding
The strategy automatically creates a session and calls execute_signal() to place trades when conditions are met, with no explicit interactive confirmation, dry-run default, or prominent user-facing warning at the point of execution. In a trading skill, this is security-relevant because invoking the skill can directly modify financial state and cause unintended orders if triggered by mistake, automation, or misunderstanding.

Missing User Warnings

High
Confidence
96% confidence
Finding
The code directly closes, opens, and modifies leveraged trading positions based on programmatic signals without any user confirmation, approval gate, or even a user-visible warning path. In a trading skill, this is especially dangerous because a bad signal, compromised upstream input, or logic error can immediately execute real financial actions and cause losses without the user having a chance to review the trade.

Missing User Warnings

High
Confidence
90% confidence
Finding
The bot can automatically close and open leveraged positions based solely on a simple signal and current account state, with no confirmation, dry-run mode, kill switch, or policy guardrails. In a skill context where code may be run by users or agents with live credentials, this materially increases the chance of unintended irreversible financial actions and losses from misconfiguration, bad signals, or API abuse.

Missing User Warnings

Medium
Confidence
91% confidence
Finding
The bot automatically opens leveraged positions based solely on programmatic signals, without any human confirmation, approval gate, or secondary safety checks. In a trading-agent context, this is materially dangerous because bad data, logic bugs, or manipulated inputs can directly trigger real financial loss.

VirusTotal

61/61 vendors flagged this skill as clean.

View on VirusTotal