ClawHub

OpenMM

Security checks across malware telemetry and agentic risk

Overview

This is a legitimate trading skill, but it gives agents and chat commands real exchange-trading authority, including an immediate cancel-all command, so users should review it carefully before enabling live credentials.

Install only if you intentionally want an agent or OpenClaw chat channel connected to exchange accounts. Use testnet or small, separate API keys first; disable withdrawals and transfers; apply IP allowlists where possible; avoid enabling optional mutating tools unless needed; and treat /cancel-all and any live grid or order command as real financial actions requiring human confirmation.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
  • Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
Findings (19)

Missing User Warnings

Medium
Confidence
90% confidence
Finding
The README describes skills for exchange setup, grid trading, portfolio management, and order handling without prominent warnings that these capabilities can place trades, affect real funds, or require sensitive API credentials. In an agent-skill context, this omission increases the chance that a user or autonomous agent enables high-impact financial actions without understanding account, market, or loss exposure.

Missing User Warnings

Medium
Confidence
94% confidence
Finding
This section documents live order creation and cancellation commands that can directly affect real exchange accounts, but it does not prominently warn that these actions may immediately execute trades, incur fees, or realize losses. In a skill intended for AI-agent use, showing executable live-trading examples without strong confirmation and safety gating increases the chance that an agent or user treats them as routine commands and triggers irreversible financial actions.

Missing User Warnings

Medium
Confidence
96% confidence
Finding
The MCP tool list exposes mutating tools such as create_order, cancel_order, cancel_all_orders, and start_grid_strategy with only descriptive text and no prominent warning that they can place or cancel live exchange orders. Because MCP tools are especially likely to be invoked by autonomous or semi-autonomous agents, insufficient warning and guardrails materially increase the risk of unintended financial loss or disruption of existing trading positions.

Vague Triggers

Medium
Confidence
86% confidence
Finding
The command list includes very broad triggers such as "price", "strategy", "orders", and especially "cancel-all", which are common natural-language terms and appear to lack any namespace or scope constraint in this manifest. In a chat or agent-integrated context, broad triggers increase the chance of accidental invocation, command collision with other plugins, or misuse of sensitive trading actions, which is more dangerous here because the skill can place and cancel market orders across exchanges.

Missing User Warnings

Medium
Confidence
94% confidence
Finding
The `/cancel-all` command performs a destructive trading action immediately based on chat arguments, with only `requireAuth: true` as a guard and no explicit confirmation step, preview, or scoped safety check. In an agent-integrated trading skill, a mistaken invocation, prompt-induced action, or compromised authenticated session could cancel active orders and disrupt trading strategies, causing financial loss or operational impact.

Missing User Warnings

Medium
Confidence
89% confidence
Finding
The README instructs users to place exchange API credentials into environment variables but provides no guidance on secure handling, least-privilege API key scopes, or the risks of exposing secrets through shell history, logs, screenshots, shared terminals, or inherited process environments. In a trading-related plugin, these credentials may grant access to account balances and potentially broader exchange permissions if users reuse existing keys, so the omission can lead to credential leakage or misuse.

Missing User Warnings

Medium
Confidence
92% confidence
Finding
The skill instructs users to configure exchange API credentials and run balance/order queries against third-party exchanges, but it does not clearly disclose that account-identifying and portfolio-related data will be transmitted to those external services. In a financial context, this omission can lead to unintended exposure of sensitive account metadata and trading activity, especially when agents or users assume the skill is purely local or informational.

Missing User Warnings

Medium
Confidence
90% confidence
Finding
The README explicitly instructs users to move from a dry run to live trading with real exchange credentials, but it does not warn that this can place real market orders, incur losses, or trigger autonomous trading behavior. In a trading plugin, omission of these warnings materially increases the chance of accidental live execution and financial harm, especially for inexperienced users following copy-paste setup steps.

Missing User Warnings

Medium
Confidence
95% confidence
Finding
The README tells users to export API keys and secrets directly in their shell environment without warning that these are highly sensitive credentials. This can lead to accidental disclosure through shell history, screenshots, shared terminals, process inspection, misconfigured environments, or reuse of unrestricted keys tied to live exchange accounts.

Missing User Warnings

Medium
Confidence
94% confidence
Finding
This CLI reference documents live trading and destructive order-management commands such as order creation, cancellation, and cancel-all without prominent warnings that these actions affect real exchange accounts and may be irreversible once executed. In an agent skill context, documentation is often used directly to construct commands, so omission of safety guidance increases the chance of unintended real trades, mass order cancellations, or financial loss.

Missing User Warnings

Medium
Confidence
97% confidence
Finding
The grid trading section describes starting an automated strategy and presents live examples without a prominent warning that omitting --dry-run initiates real automated trading on connected exchanges. Because this is an autonomous trading feature, the skill context makes the issue more dangerous: an agent or user following the docs could unintentionally deploy a bot that continuously places and replaces live orders, amplifying losses beyond a single mistaken trade.

Missing User Warnings

Medium
Confidence
95% confidence
Finding
The reference documents live trading primitives such as placing market/limit orders and cancelling orders, but it does not prominently warn that these operations can affect real funds, execute immediately, or be difficult or impossible to reverse once filled. In an agent-facing skill, omission of such guardrails increases the chance that an LLM or user invokes destructive financial actions without informed confirmation.

Missing User Warnings

Medium
Confidence
94% confidence
Finding
The strategy section describes automation that can place or cancel multiple orders, including stopping strategies by cancelling all open orders, but lacks strong warnings about aggregate financial exposure and cascading market effects. Although `start_grid_strategy` defaults to dry-run, the documentation still enables transition to live execution without emphasizing the risks of bulk order placement and cancellation.

Missing User Warnings

Medium
Confidence
90% confidence
Finding
The skill instructs users to place exchange API secrets in shell exports, .env files, and MCP client configuration, including inline JSON examples with plaintext credentials, without clearly warning that these secrets can leak through committed config files, local filesystem exposure, process/environment inspection, screenshots, or logs. In a trading context, exposed API keys can enable unauthorized trading activity and account reconnaissance; even without withdrawal permissions, attackers may still place destructive trades or manipulate positions.

Missing User Warnings

Medium
Confidence
92% confidence
Finding
The examples prominently show commands that will place live exchange orders when `--dry-run` is omitted, but the skill does not clearly warn that this uses the user's configured exchange credentials and can execute real trades immediately. In an agent-facing trading skill, this omission increases the chance of accidental financial actions, especially if an agent or user copies the example as-is.

Missing User Warnings

Medium
Confidence
89% confidence
Finding
The skill metadata lists exchange API key environment variables, but provides no accompanying warning about secure credential handling, least-privilege API scopes, or the risk of exposing keys to logs, prompts, or shared environments. Because these credentials enable trading actions on real exchanges, poor handling can lead to unauthorized trades or account misuse.

Missing User Warnings

Medium
Confidence
90% confidence
Finding
The skill instructs users to place live exchange API credentials in shell exports, plaintext .env files, and MCP client configuration without clearly warning that these locations may be exposed through shell history, shared config files, backups, screenshots, logs, or accidental commits. Because these are trading credentials for financial accounts, disclosure could let an attacker read balances and place trades even if withdrawals are disabled.

Missing User Warnings

Medium
Confidence
90% confidence
Finding
The skill presents a live trading command immediately after a dry-run example without an equally explicit warning that omitting --dry-run can place real exchange orders using configured API credentials. In an agent-executed context, this increases the chance of unintended financial transactions, especially because the skill is designed for automation and references live exchange API keys in metadata.

Missing User Warnings

Medium
Confidence
92% confidence
Finding
The skill instructs use of exchange-specific commands that rely on API keys and expose balances, orders, and market/account context, but it provides no explicit warning that these operations access sensitive financial account data and interact with third-party exchanges. In an agent setting, that omission increases the risk that a user or automated workflow invokes the skill without informed consent, unintentionally disclosing portfolio information or querying live accounts.

VirusTotal

66/66 vendors flagged this skill as clean.

View on VirusTotal