Skillv0.1.0

ClawScan security

Nautilus Trader · ClawHub's context-aware review of the artifact, metadata, and declared behavior.

Scanner verdict

SuspiciousFeb 27, 2026, 5:41 PM

Verdict: suspicious
Confidence: medium
Model: gpt-5-mini
Summary: The skill's stated purpose (trading/backtesting) matches the included code and instructions, but there are important inconsistencies: it asks for a raw Hyperliquid private key and bundles executable patch code while declaring no required credentials or installs, and the SKILL.md contains a detected unicode-control-chars injection signal — review carefully before use.
Guidance: Key points to consider before installing/using this skill: - The skill explicitly asks you to provide HYPERLIQUID_PK (a raw private key) and HYPERLIQUID_VAULT in a .env, but the registry metadata declares no required environment variables — that mismatch reduces transparency. - The package includes executable Python files (a 'patch' module and live-trading examples) that the agent is instructed to import and run; review those files (hyperliquid_patch.py, live_trading.py, set_leverage.py) line-by-line before running. - The pre-scan found unicode control characters in SKILL.md, which can hide or obfuscate content; inspect the raw files for hidden characters or injected instructions. - If you plan to use live trading: never use a real private key until you fully audit the code. Prefer testnet keys, a signing service, or an external signer/hardware wallet rather than placing raw private keys in .env. - Ask the publisher for provenance (homepage, source repo, release signing). Lack of a homepage and unknown source increases risk. - If you still want to test: run the skill in an isolated environment (air-gapped or VM), use ephemeral/testnet credentials, and monitor network calls. If the skill will be allowed to act autonomously, restrict that capability until you validate behavior. - Additional useful artifacts to request or check: full contents of hyperliquid_patch.py and set_leverage.py, any network endpoints used by the patch, and how the patch modifies NautilusTrader internals.
Findings: [unicode-control-chars] unexpected: Unicode control characters were detected in SKILL.md. This pattern can be used to obfuscate or manipulate parsing and is not expected for a straightforward developer guide. It could be benign (formatting artifact) but warrants manual review of the raw SKILL.md and bundled files to ensure no hidden instructions or obfuscation.

Review Dimensions

Purpose & Capability: concernName/description (NautilusTrader + Hyperliquid live trading) is consistent with the code and docs included. However, the skill metadata declares no required environment variables or credentials while the runtime instructions explicitly require HYPERLIQUID_PK (private key) and HYPERLIQUID_VAULT. That mismatch is incoherent and reduces transparency about what secrets the skill needs.
Instruction Scope: concernSKILL.md instructs the user/agent to import a local patch module (hyperliquid_patch) before importing NautilusTrader, create a .env containing a raw private key, and to run live-trading and leverage-setting scripts. Those runtime instructions cause the agent to execute bundled Python code that will use a sensitive private key; the skill instructions access sensitive environment variables that were not declared in the registry metadata. No instructions appear to demand unrelated system files, but the undisclosed secret usage is a scope and transparency problem.
Install Mechanism: noteThere is no install spec (instruction-only), which is lower risk than arbitrary downloads. The SKILL.md recommends pip installing nautilus_trader and hyperliquid-python-sdk from PyPI — expected for this purpose. The skill does bundle three Python modules (hyperliquid_patch.py, live_trading.py, set_leverage.py) that the agent may import and execute; bundling executable code without an explicit install step or provenance is worth scrutiny.
Credentials: concernThe runtime instructions require HYPERLIQUID_PK (a raw private key) and HYPERLIQUID_VAULT; asking for a private key is proportionate to live trading but highly sensitive. The skill metadata did not declare any required env vars or a primary credential, creating an opacity problem. There are no other unrelated credentials, but the absence of declared secrets in registry metadata while instructing to provide them is a red flag.
Persistence & Privilege: okSkill flags: always=false and model invocation enabled (normal). The skill does not request permanent 'always' presence or system-level configuration changes in the provided materials. Autonomous invocation is allowed by default — combine that with the private-key usage only if you plan to let the agent act on its own with real funds.