ClawHub

Axelrod

Security checks across malware telemetry and agentic risk

Overview

This skill is purpose-built for crypto trading, but it can affect real funds and its docs allow some small trades to run without a final confirmation.

Install only if you intentionally want an agent connected to AIxVC with authority to query and trade on Base using your API keys. Use limited credentials if available, avoid broad auto-routing for general crypto discussion, and do not rely on this skill unless you are comfortable with small orders potentially executing without a separate confirmation step.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
  • Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
  • MCP Least PrivilegeUnderdeclared Capability, Wildcard Permission, Missing Permission Declaration
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
Findings (7)

Lp3

Medium
Category
MCP Least Privilege
Confidence
92% confidence
Finding
The skill clearly requires environment secrets and outbound network access, but it does not declare permissions accordingly. That creates a transparency and governance gap: a host agent or reviewer may not realize the skill can read credentials and send data to an external trading API, which is especially sensitive in a financial execution context.

Vague Triggers

Medium
Confidence
89% confidence
Finding
The skill description uses very broad triggers such as helping with crypto/DeFi topics, prices, balances, and trading in natural language, which can overlap with ordinary conversation. In an agent-routing system, that increases the chance of accidental invocation of a live trading skill for casual discussion, potentially causing unintended external queries or trade-preparation flows.

Vague Triggers

Low
Confidence
83% confidence
Finding
The example trigger phrase at this location is generic enough to resemble normal conversation and does not impose activation constraints. In a skill that can access account-linked data and initiate trading workflows, ambiguous examples materially raise the risk of unintended routing and execution-related side effects.

Missing User Warnings

Medium
Confidence
91% confidence
Finding
The script sends the user's free-form message and SigV4-authenticated request data to a third-party API without any built-in user notice, consent prompt, or redaction step. In a skill explicitly intended to handle trading and on-chain queries, users may supply wallet, portfolio, or strategy details, so silent external transmission materially increases privacy and operational risk.

External Transmission

Medium
Category
Data Exfiltration
Content
## Implementation Notes

- The script uses AK/SK with SigV4-style signing to call the AIxVC.
- Current endpoint: `https://api.aixvc.io/gw/openapi/v2/public/twa/agent/chat` (`chain-id=base`).
- If documentation conflicts with code behavior, follow the script implementation.

## File Structure
Confidence
95% confidence
Finding
https://api.aixvc.io/

Autonomous Decision Making

Medium
Category
Excessive Agency
Content
- **Execute**: `yes, please execute <confirmKey>`
- **Cancel**: `no, please cancel <confirmKey>`

`confirmKey` is valid for approximately **10 minutes**. Small orders (≈ ≤ $10) may skip confirmation.

## Current Limitations
Confidence
88% confidence
Finding
skip confirmation

Autonomous Decision Making

Medium
Category
Excessive Agency
Content
## Confirmation Flow

Orders usually require risk-control confirmation; small orders (approximately ≤ $10) may skip confirmation. `confirmKey` is valid for about **10 minutes**.

When the response includes `confirmKey`, ask the user to send one of:
Confidence
90% confidence
Finding
skip confirmation

VirusTotal

64/64 vendors flagged this skill as clean.

View on VirusTotal