Back to skill

Security audit

A Clawdbot skill that gives your agent native access to DWLF — a market analysis platform for crypto and stocks.

Security checks across malware telemetry and agentic risk

Overview

This DWLF market-analysis skill is not clearly malware, but it needs review because it can use local API keys and broadly change DWLF account data.

Install only if you trust DWLF and want an agent to access and potentially modify your DWLF account. Prefer setting DWLF_API_KEY explicitly, avoid plaintext shared TOOLS.md secrets, remove or verify the person-specific TOOLS.md fallback, and require confirmation before any POST, PUT, DELETE, purge, bulk activation, settings, trade, strategy, watchlist, or API-key action.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
  • Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
  • MCP Least PrivilegeUnderdeclared Capability, Wildcard Permission, Missing Permission Declaration
  • MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
Findings (13)

Lp3

Medium
Category
MCP Least Privilege
Confidence
93% confidence
Finding
The skill declares shell-capable dependencies (`curl`, `jq`) and instructs use of a helper shell script, but does not declare permissions or guardrails for code execution. This creates an execution surface for outbound requests and file access that may exceed user expectations and platform policy, especially when combined with authenticated API usage.

Tp4

High
Category
MCP Tool Poisoning
Confidence
97% confidence
Finding
The skill says to read an API key from `TOOLS.md`, introducing local secret discovery behavior that is broader than its stated market-analysis purpose. It also supports generic authenticated requests via a helper script, enabling arbitrary access to the DWLF account rather than only the narrowly described user-facing features.

Intent-Code Divergence

Medium
Confidence
95% confidence
Finding
The document gives contradictory wiring guidance for stop-loss and take-profit nodes: the example connects SL/TP from a logic gate while the rules state they must connect from the signal node. In a strategy-building skill, this can cause agents to generate invalid or semantically incorrect strategies that compile or render inconsistently, leading to unintended trading behavior or failure to apply risk controls.

Intent-Code Divergence

Medium
Confidence
97% confidence
Finding
The 'Simple' and 'Two Conditions AND'd' reference patterns instruct connecting SL and TP directly from the AND gate, which conflicts with the later explicit rule that these nodes must connect from the signal node. Because these are presented as reusable templates for AI agents, they are likely to be copied verbatim and can systematically produce malformed strategies or strategies with missing/incorrect risk-management linkage.

Intent-Code Divergence

Medium
Confidence
94% confidence
Finding
The WCL-style complex example repeats the same contradiction by showing SL/TP attached from the AND gate instead of from the signal node. In the context of an automated trading strategy skill, misleading complex examples are especially risky because users and agents may trust them as authoritative, causing broad propagation of invalid strategy graphs and potentially disabling or misplacing protective exits.

Context-Inappropriate Capability

Medium
Confidence
97% confidence
Finding
The script attempts to recover an API credential from a local TOOLS.md file when the expected environment variable is absent. That creates an undocumented secret-harvesting behavior unrelated to a normal generic API wrapper, and the hardcoded reference to a specific person's key strongly suggests targeted credential access rather than legitimate configuration handling.

Intent-Code Divergence

Low
Confidence
93% confidence
Finding
The comment explicitly says the code is extracting "Jenna's API key," which is inconsistent with a generic DWLF client and indicates awareness of a specific victim credential source. Even though this is a comment-associated finding, it corroborates that the file access logic is intentional credential targeting, increasing confidence that the surrounding behavior is unsafe.

Vague Triggers

Medium
Confidence
90% confidence
Finding
The README says the skill 'triggers automatically' on a broad set of topics such as market analysis, portfolio, indicators, and support/resistance, which can cause the skill to activate in conversations where the user did not explicitly intend DWLF access. Because the skill supports read/write trading and portfolio actions, ambiguous triggering increases the chance of unintended account-affecting operations or unnecessary exposure of financial data.

Missing User Warnings

Medium
Confidence
95% confidence
Finding
The README advertises capabilities like logging trades, closing trades, portfolio access, and other account-affecting actions without warning users that the skill can perform sensitive financial operations. In a trading context, omission of clear warnings and confirmation guidance is dangerous because accidental or misunderstood prompts could lead to unauthorized trade modifications, data exposure, or irreversible journal/account changes.

Vague Triggers

Medium
Confidence
88% confidence
Finding
The trigger phrases are broad enough to match common conversational prompts such as 'how's BTC' or 'how's the market,' increasing the chance the skill activates unexpectedly. Because the skill can perform authenticated reads and writes, accidental invocation can expose account data or cause unintended actions.

Missing User Warnings

Medium
Confidence
95% confidence
Finding
The documented API surface includes destructive and account-modifying operations such as PUT/POST/DELETE on annotations, trade plans, settings, watchlists, and backtests, but the skill does not warn users or require confirmation for mutations. In an agent context, this can lead to silent data modification, deletion, or account reconfiguration from an ambiguous request.

Missing User Warnings

Medium
Confidence
88% confidence
Finding
The API key creation endpoint returns a raw secret and only notes that it is shown once, without explicit handling guidance. In an agent context, this increases the risk that a newly generated credential could be echoed to users, logged in chat transcripts, or stored insecurely, leading to credential compromise and unauthorized API access.

Missing User Warnings

Medium
Confidence
95% confidence
Finding
The script silently accesses a local file to obtain a credential without clear user disclosure or consent. In the context of a market-analysis skill, this is especially dangerous because it can exfiltrate or misuse API credentials from the host environment under the guise of normal platform access.

VirusTotal

61/61 vendors flagged this skill as clean.

View on VirusTotal

Static analysis

No suspicious patterns detected.