ClawHub

A Clawdbot skill that gives your agent native access to DWLF — a market analysis platform for crypto and stocks.

Security checks across malware telemetry and agentic risk

Overview

This DWLF market skill is not malware, but it needs review because it can use a locally discovered API key to read and change trading-account data through broad authenticated API calls.

Install only if you trust DWLF and want your agent to access and potentially modify your DWLF account. Prefer setting DWLF_API_KEY yourself, avoid plaintext workspace secrets where possible, remove or verify the TOOLS.md fallback, and require the agent to ask before any POST, PUT, DELETE, purge, bulk activation, settings, trade, strategy, watchlist, or API-key operation.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
  • Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
  • MCP Least PrivilegeUnderdeclared Capability, Wildcard Permission, Missing Permission Declaration
  • MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
Findings (13)

Lp3

Medium
Category
MCP Least Privilege
Confidence
90% confidence
Finding
The skill declares no explicit permissions while instructing use of shell tooling (`curl`, `jq`, and a helper script) to make authenticated API calls. This creates a hidden capability boundary: the skill can perform networked and state-changing actions without a clear permission model, increasing the chance of unintended execution or abuse.

Tp4

High
Category
MCP Tool Poisoning
Confidence
94% confidence
Finding
The skill is presented as a market-analysis assistant, but it also enables generic authenticated access to many DWLF endpoints, including account-modifying and destructive operations, and tells the agent to obtain an API key from a local `TOOLS.md` file. That combination expands scope beyond the declared purpose and creates risk of secret exposure, unauthorized account changes, and misuse of local sensitive data.

Intent-Code Divergence

Medium
Confidence
92% confidence
Finding
The example strategy wires SL/TP directly from the logic gate, while the document later states SL/TP must connect from the signal node. In a system where strategies compile into executable trade signals, contradictory wiring guidance can cause agents to generate invalid or semantically different graphs, leading to failed compilation, disconnected UI graphs, or unintended risk-management behavior in live/backtest trading workflows.

Intent-Code Divergence

Medium
Confidence
89% confidence
Finding
The THEN-gate section introduces a special linear-chain pattern that conflicts with the earlier general entry-pipeline wiring model, creating ambiguity about whether conditions should feed gates via the conditions handle or via chained node inputs. For an AI agent consuming this reference, that ambiguity can reliably produce malformed strategy graphs or incorrect execution logic, especially because the document presents both patterns as authoritative.

Context-Inappropriate Capability

Medium
Confidence
96% confidence
Finding
The script silently falls back to reading an API key from a local TOOLS.md file, which is unrelated to its advertised market-analysis function and creates an unexpected secret-harvesting path. Because the wrapper then uses that key to authenticate arbitrary caller-supplied requests, an attacker or prompt-injected workflow could leverage a locally stored credential without the user's knowledge.

Intent-Code Divergence

Low
Confidence
84% confidence
Finding
The comment about extracting "Jenna's API key" indicates the script may be tailored to locate a specific person's credential rather than acting as a generic API wrapper. That mismatch is suspicious because it suggests intentional access to a personal secret source and increases the likelihood that the TOOLS.md lookup was designed for credential acquisition rather than normal configuration.

Vague Triggers

Medium
Confidence
93% confidence
Finding
The README states that the skill triggers automatically on broad topics like market analysis, portfolio, indicators, and support/resistance, which can cause the skill to activate in conversations where the user did not explicitly intend to use DWLF. In an agent environment with read/write capabilities, over-broad invocation increases the chance of unintended external API access, disclosure of account data, or accidental execution of state-changing actions.

Missing User Warnings

Medium
Confidence
95% confidence
Finding
The README advertises actions such as logging trades, adding notes, closing trades, and creating custom events without warning that these are write operations that can modify user data or affect trading workflows. In a conversational agent context, users may assume informational behavior and inadvertently authorize account-impacting changes, especially if the skill is auto-triggered.

Missing User Warnings

Medium
Confidence
91% confidence
Finding
The setup instructions tell users to place a live API key in TOOLS.md or an environment variable but do not warn about credential sensitivity, storage risks, or least-privilege handling. README files are often copied, committed, shared, or inspected by other tools, so normalizing plaintext credential placement increases the chance of secret exposure and subsequent unauthorized access to DWLF data and write operations.

Vague Triggers

Medium
Confidence
88% confidence
Finding
The trigger phrases include broad, common requests such as "how's BTC" and "how's the market," which can cause the skill to activate unexpectedly in ordinary conversation. Because the skill can make authenticated external calls and perform state-changing actions, overbroad invocation materially raises the chance of unintended data access or account modification.

Missing User Warnings

Medium
Confidence
93% confidence
Finding
The skill documents destructive and account-modifying endpoints such as create, update, delete, duplicate, and bulk activation operations for annotations, trade plans, settings, watchlists, strategies, and backtests without clear user-facing warnings or confirmation requirements. In an agent setting, this can lead to accidental or unauthorized changes to a user's account and trading workflow.

Missing User Warnings

Medium
Confidence
95% confidence
Finding
The script accesses a local file to obtain an API key without disclosing that behavior to the user, which undermines informed consent around secret use. In an agent-skill context, hidden credential sourcing is especially dangerous because users may believe they are making an unauthenticated or differently authenticated request while the skill silently applies a discovered local token.

Missing User Warnings

Medium
Confidence
93% confidence
Finding
The wrapper sends authenticated requests to the DWLF API using a caller-controlled path/query and optional body, but provides no user-facing notice that arbitrary API actions will be performed under the discovered credential. This can enable misuse of the user's account or data access if an untrusted prompt, agent step, or caller supplies sensitive endpoints or destructive operations.

VirusTotal

61/61 vendors flagged this skill as clean.

View on VirusTotal