Back to skill

Security audit

Maxxit Lazy Trader

Security checks across malware telemetry and agentic risk

Overview

This appears to be a legitimate trading integration, but it can place or change live financial trades automatically with limited safeguards.

Install only if you intentionally want OpenClaw to access trading accounts and potentially place real orders. Verify MAXXIT_API_URL is the official HTTPS Maxxit origin, keep Maxxit and Kite credentials secret, do not run the strategy scripts on live funds without your own approval gate or dry-run controls, and set strict limits for venue, symbol, collateral, and leverage.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
  • Taint TrackingDirect Taint Flow, Variable-Mediated Taint Flow, Credential Exfiltration Chain
  • MCP Least PrivilegeUnderdeclared Capability, Wildcard Permission, Missing Permission Declaration
  • MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
Findings (21)

Tainted flow: 'MAXXIT_API_URL' from os.environ.get (line 18, credential/environment) → requests.get (network output)

Critical
Category
Data Flow
Content
log(f"Starting Volatility Breakout Bot | Market: {MARKET} | Venue: {VENUE}")
    
    # 1. Get Club Details
    club = requests.get(f"{MAXXIT_API_URL}/api/lazy-trading/programmatic/user-details", headers=session.headers).json()
    user_address = club.get("user_wallet")
    agent_address = club.get("ostium_agent_address")
Confidence
90% confidence
Finding
club = requests.get(f"{MAXXIT_API_URL}/api/lazy-trading/programmatic/user-details", headers=session.headers).json()

Tainted flow: 'MAXXIT_API_URL' from os.environ.get (line 18, credential/environment) → requests.get (network output)

Critical
Category
Data Flow
Content
log(f"Starting Mean Reversion Bot | Market: {MARKET} | Venue: {VENUE}")
    
    # 1. Get Club Details
    club = requests.get(f"{MAXXIT_API_URL}/api/lazy-trading/programmatic/user-details", headers=session.headers).json()
    user_address = club.get("user_wallet")
    agent_address = club.get("ostium_agent_address")
Confidence
93% confidence
Finding
club = requests.get(f"{MAXXIT_API_URL}/api/lazy-trading/programmatic/user-details", headers=session.headers).json()

Tainted flow: 'MAXXIT_API_URL' from os.environ.get (line 19, credential/environment) → requests.get (network output)

Critical
Category
Data Flow
Content
log(f"Starting VWAP Bot | Market: {MARKET} | Venue: {VENUE}")
    
    # 1. Get Club Details
    club = requests.get(f"{MAXXIT_API_URL}/api/lazy-trading/programmatic/user-details", headers=session.headers).json()
    user_address = club.get("user_wallet")
    agent_address = club.get("ostium_agent_address")
Confidence
89% confidence
Finding
club = requests.get(f"{MAXXIT_API_URL}/api/lazy-trading/programmatic/user-details", headers=session.headers).json()

Lp3

Medium
Category
MCP Least Privilege
Confidence
86% confidence
Finding
The skill declares only environment requirements while the content clearly instructs use of network access, local file state, and executable scripts. That permission/capability mismatch can bypass user and platform expectations, making a high-risk trading skill appear less powerful than it is. In the context of automated trading and credentialed API use, hidden capabilities materially increase operational and financial risk.

Tp4

High
Category
MCP Tool Poisoning
Confidence
93% confidence
Finding
The skill description and documented behavior are materially inconsistent: it advertises broad venues and features, while also introducing autonomous strategy execution and external Binance data dependencies that are not clearly reflected in the manifest/summary. For a trading skill, that mismatch can mislead users into authorizing behavior they did not intend, including automated order execution based on third-party data. Capability misrepresentation is especially dangerous when real funds, API credentials, and on-chain trading are involved.

Description-Behavior Mismatch

Medium
Confidence
92% confidence
Finding
The README materially understates the skill's capabilities compared with the manifest, documenting only perpetual futures trading while the metadata claims additional functions such as Zerodha stock trading, research/market data, copy-trading, and marketplace features. This mismatch can mislead reviewers and users about the true attack surface and operational risk, causing them to grant trust, credentials, or permissions without understanding all exposed behaviors.

Intent-Code Divergence

High
Confidence
84% confidence
Finding
The skill's manifest requires only Maxxit variables, but the Zerodha section instructs use of additional broker credentials and access tokens. That discrepancy can cause hidden credential expectations, insecure ad hoc handling of secrets, or execution paths that rely on undeclared sensitive inputs. In a brokerage context, undocumented secret handling materially increases account-compromise and unauthorized-trading risk.

Description-Behavior Mismatch

Medium
Confidence
81% confidence
Finding
The strategy pulls live market data from Binance even though the declared skill functionality centers on Maxxit/Ostium/Avantis/Zerodha surfaces. This creates an undeclared external dependency and leaks trading interest metadata externally; it also introduces integrity risk because trade decisions on one venue are driven by unauthenticated third-party data.

Description-Behavior Mismatch

Medium
Confidence
84% confidence
Finding
The strategy relies on Binance market data to generate live trading signals, but that dependency is not reflected in the skill description. In a trading skill, undisclosed third-party data sources matter because users may not realize their positions are being driven by an external venue with different market structure, outages, or manipulated data.

Description-Behavior Mismatch

Medium
Confidence
80% confidence
Finding
The strategy silently relies on Binance market data even though the skill description centers on Maxxit-supported venues and Zerodha. In an automated trading skill, undisclosed third-party data dependencies increase operational and trust risk because trade decisions can be influenced by an external source the user may not expect or consent to.

Missing User Warnings

Medium
Confidence
90% confidence
Finding
The README encourages users to send live trading signals and execute leveraged perpetual futures trades but provides no warning about liquidation risk, loss of funds, execution errors, or the consequences of automated trade placement. In a skill whose core purpose is placing real trades, omission of risk disclosures and safety constraints increases the chance that users trigger dangerous financial actions without informed consent or operational safeguards.

Missing User Warnings

Medium
Confidence
95% confidence
Finding
The README instructs users to export a MAXXIT_API_KEY without explaining that the credential may authorize live trading and therefore functions as a high-impact secret. Users may store it insecurely, paste it into shared shells, logs, or repositories, or expose it to other tools, enabling unauthorized trade execution and financial loss.

Vague Triggers

Medium
Confidence
81% confidence
Finding
The trigger phrases are broad enough to match ordinary financial conversation, which can activate a live trading skill when the user may only want general information. In this context, accidental routing is more dangerous than usual because the skill can progress from discussion to real order placement and credentialed account actions.

Missing User Warnings

High
Confidence
90% confidence
Finding
The skill enables leveraged perpetuals, copy-trading, and stock order execution without an upfront, clear warning that actions may be irreversible and financially harmful. In a trading context, absence of strong risk disclosure increases the chance that users treat suggestions or automation as low-risk utility actions rather than real-money execution.

Missing User Warnings

Medium
Confidence
88% confidence
Finding
The bot can open leveraged live positions automatically based on computed signals with no explicit confirmation, dry-run gate, or operator acknowledgment in code. In a trading skill context, this is materially risky because a bad signal, misconfiguration, or hostile execution environment can immediately cause financial loss.

Missing User Warnings

Medium
Confidence
91% confidence
Finding
This file programmatically executes trading actions via execute_signal() without any explicit interactive confirmation, warning, dry-run default, or other user-facing safeguard at the point of execution. In the context of an agent skill for live/perpetual trading, that increases the risk of unintended orders from misconfiguration, bad signals, or automated invocation, which can directly cause financial loss.

Missing User Warnings

Medium
Confidence
93% confidence
Finding
This file directly executes trading actions when an EMA crossover signal is detected, but it does not present any explicit user-facing warning, confirmation, or dry-run safeguard before placing trades. In the context of an agent skill that can trade real assets across multiple venues, silent execution materially increases the risk of unintended or misunderstood financial actions, especially if the strategy is run by automation or invoked by another agent.

Missing User Warnings

Medium
Confidence
88% confidence
Finding
The script automatically opens leveraged positions once its signal criteria are met, without any interactive confirmation, policy gate, dry-run mode, or explicit operator approval step. In an agent skill that can move funds and place trades, this creates a real risk of unintended or abusive order execution from bad inputs, strategy errors, compromised upstream data, or accidental invocation.

Missing User Warnings

High
Confidence
95% confidence
Finding
The bot can automatically close and open leveraged positions based solely on algorithmic signals, without any interactive confirmation, policy gate, or risk acknowledgment. In the context of a trading agent with API credentials, this is dangerous because a bad signal, configuration mistake, or compromised runtime can immediately trigger financial loss.

Missing User Warnings

Medium
Confidence
86% confidence
Finding
This code can automatically open leveraged positions based solely on algorithmic conditions, without any explicit user confirmation, circuit breaker, or human-approval gate. In a trading skill that controls real positions, that materially raises the risk of unauthorized or unintended financial loss from misconfiguration, bad signals, or compromise.

External Transmission

Medium
Category
Data Exfiltration
Content
def fetch_binance_klines_ohlc(market: str, interval: str = "5m", limit: int = 50) -> List[Dict[str, float]]:
    symbol = f"{market}USDT"
    url = "https://api.binance.com/api/v3/klines"
    params = {"symbol": symbol, "interval": interval, "limit": limit}
    try:
        resp = requests.get(url, params=params, timeout=10)
Confidence
78% confidence
Finding
https://api.binance.com/

VirusTotal

64/64 vendors flagged this skill as clean.

View on VirusTotal

Static analysis

Detected: suspicious.exposed_secret_literal

File appears to expose a hardcoded API secret or token.

Critical
Code
suspicious.exposed_secret_literal
Location
SKILL.md:1963