ClawHub

moltrade

Security checks across malware telemetry and agentic risk

Overview

This is a real trading and posting assistant, but it combines live financial actions, sensitive credentials, and public posting with some unclear consent and storage boundaries.

Install only if you are prepared to treat this as a credentialed trading and publishing tool. Use testnet or test mode first, inspect and pin the external Moltrade repository before running it, use least-privilege API keys with withdrawals disabled, keep secrets in environment variables or a trusted secret manager, and require explicit approval before live trades, cancellations, DEX swaps, Nostr broadcasts, or Binance Square posts.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
  • MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
Findings (5)

Description-Behavior Mismatch

High
Confidence
97% confidence
Finding
The file documents a Binance Square posting capability that is outside the stated scope of the moltrade skill, which is supposed to operate a trading bot. Scope mismatch is dangerous because it can hide unexpected capabilities from users and reviewers, increasing the chance that the agent will request unrelated credentials or perform actions the user did not authorize. In this context, the mismatch is especially concerning because the undocumented capability involves external posting and API key handling.

Missing User Warnings

Medium
Confidence
90% confidence
Finding
This skill exposes authenticated spot trading and order-cancellation endpoints, including destructive mainnet actions, but the referenced section only lists capabilities and does not consistently communicate financial loss risk, irreversibility, or the danger of executing against production accounts. In an agent setting, terse operational docs can normalize direct execution of buy/sell/cancel actions and increase the chance that a user or downstream agent triggers real trades without appreciating the consequences.

Missing User Warnings

Medium
Confidence
94% confidence
Finding
The README tells the user to provide an API key directly to the agent and says it will be 'securely stored,' but it does not warn about the risks of transmitting secrets through the assistant interface or define a secure secret-ingestion path. This can lead users to paste credentials into chat, where they may be logged, exposed to other tools in the chain, or mishandled by the skill. The danger is heightened here because this capability is already out of scope for the declared moltrade skill, making the credential request less expected and harder for users to assess safely.

Missing User Warnings

Medium
Confidence
90% confidence
Finding
The README instructs users to provide an API key to the agent and says it will be stored securely, but it does not explain where the key is stored, how it is protected, whether it is encrypted, or what trust boundary applies when handing secrets to the skill. In an agent-driven workflow, vague secret-handling guidance can cause users to disclose long-lived credentials into chat or insecure storage, increasing the risk of credential theft and account misuse.

Vague Triggers

Medium
Confidence
91% confidence
Finding
The skill is configured to auto-run on broad phrases like 'post to square' and 'square post', which can be triggered during ordinary discussion rather than an explicit command. In a skill that performs an external publishing action, ambiguous invocation increases the risk of unintended posting of user-supplied or model-generated content to a public platform.

VirusTotal

65/65 vendors flagged this skill as clean.

View on VirusTotal