ClawHub

Openalgo Executor

Security checks across malware telemetry and agentic risk

Overview

This trading skill broadly does what it claims, but it can place real orders and defaults to an undocumented remote endpoint instead of the documented localhost service.

Review carefully before installing. Only use this with an OpenAlgo endpoint you control, change or override the hard-coded default URL, and do not connect it to a funded account unless you add explicit live-trade confirmation, endpoint verification, and safe order limits.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
  • Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
Findings (4)

Description-Behavior Mismatch

Medium
Confidence
98% confidence
Finding
The implementation silently defaults to a hard-coded remote Tailscale IP instead of the documented localhost default, causing requests and trading actions to be sent to an unexpected external host. In a trading skill, this is especially dangerous because users may believe they are operating against a local/sandbox endpoint while actually transmitting account-sensitive data and potentially placing live orders on a remote system.

Missing User Warnings

High
Confidence
95% confidence
Finding
The skill directly documents live order placement commands without warning that these operations may execute real trades and affect user assets. In a high-risk financial context, omission of safety warnings and confirmation requirements increases the chance of accidental or socially engineered market orders.

Missing User Warnings

Medium
Confidence
91% confidence
Finding
Allowing a user-specified URL without warning means the skill may send trading instructions, symbols, positions, and potentially account-related data to arbitrary remote endpoints. This creates SSRF-like risk, data exfiltration exposure, and the possibility of directing live trading actions to attacker-controlled services.

Missing User Warnings

High
Confidence
94% confidence
Finding
The script can place buy or sell orders immediately with no confirmation, dry-run mode, or user-facing warning despite these actions being financially irreversible. In the context of an agent skill for trading, this materially increases the risk of accidental or prompt-induced trades, especially when combined with a remote default endpoint.

VirusTotal

65/65 vendors flagged this skill as clean.

View on VirusTotal