ClawHub

QStrader - AI Trading Assistant

Security checks across malware telemetry and agentic risk

Overview

This is a real broker-connected trading skill, and while its trading purpose is disclosed, it needs Review because it combines live account and order authority with weak scoping and unsafe setup/logging patterns.

Install only if you intentionally want an agent connected to broker-capable infrastructure. Use a private authenticated MCP endpoint, start with paper trading, require separate explicit approval for every order/change/close action, review the .env file before running setup, and avoid logging or storing raw account data unless you have retention and access controls in place.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
  • Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
  • MCP Least PrivilegeUnderdeclared Capability, Wildcard Permission, Missing Permission Declaration
  • MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
Findings (13)

Lp3

Medium
Category
MCP Least Privilege
Confidence
95% confidence
Finding
The skill explicitly instructs use of shell commands (`mcporter call`, `python3`, `bash`) and environment-based setup (`.env`) while the metadata does not declare corresponding permissions. In a trading skill with broker access, this mismatch is dangerous because an agent may execute commands or access secrets without transparent capability scoping, increasing the risk of unintended trade execution or credential exposure.

Context-Inappropriate Capability

Medium
Confidence
90% confidence
Finding
The README exposes `register_new_user` and `get_access_token` as available MCP endpoints even though the skill is presented as a trading assistant. That expands the apparent trust boundary into identity and credential issuance functions, which can enable unauthorized account creation, token abuse, or privilege escalation if the agent or operator treats these endpoints as in-scope automation.

Intent-Code Divergence

Medium
Confidence
96% confidence
Finding
The README states that write endpoints require human confirmation, but the usage text also encourages commands like opening a long position through the agent. This inconsistency is dangerous in a trading skill because users may assume approval gates exist when the agent is actually positioned to initiate broker-affecting actions, leading to unauthorized or accidental trades.

Context-Inappropriate Capability

Medium
Confidence
93% confidence
Finding
The file documents live user-registration and token-issuance endpoints even though the skill is described as a trading assistant and states authorization is 'not used.' In a trading context with broker-connected capabilities and an unauthenticated MCP URL shown elsewhere in the same document, exposing account-creation or token flows broadens the attack surface and may enable unauthorized access paths or misuse of backend services.

Intent-Code Divergence

Low
Confidence
88% confidence
Finding
Labeling registration and token endpoints as 'not used' while still publishing them can create a false sense of safety and cause reviewers or operators to overlook live attack surface. In a financial/trading skill, this mismatch is especially risky because dormant-looking authentication paths may still be callable and abused for account provisioning, token harvesting, or environment probing.

Description-Behavior Mismatch

Medium
Confidence
96% confidence
Finding
The script is presented as market analysis but also retrieves live account data and includes it in the final report. In a trading-assistant context with broker-connected MCP tools, this is dangerous because a user or downstream agent invoking analysis for a ticker may unintentionally expose balances, positions, or other sensitive brokerage information unrelated to the requested task.

Missing User Warnings

High
Confidence
93% confidence
Finding
The README promotes automated market analysis, risk checks, position management, and broker-side trade execution without an upfront warning that this can impact live brokerage accounts and cause financial loss. In this context, the missing warning is security-relevant because it lowers operator caution around a high-risk, account-impacting integration and may lead users to authorize dangerous actions too casually.

Vague Triggers

Medium
Confidence
87% confidence
Finding
The activation language is extremely broad: market analysis, risk checks, portfolio monitoring, and trade execution. In an agent environment, vague triggers can cause the skill to be invoked in contexts where the user wanted only analysis, but the skill also contains live trading workflows, creating a pathway to overreach into sensitive broker-connected actions.

Missing User Warnings

Medium
Confidence
90% confidence
Finding
The markdown directs immediate liquidation of positions when margin exceeds 50% without an explicit destructive-action warning at the point of instruction. In a broker-connected skill, such guidance can pressure or automate irreversible trade closures during volatile conditions, potentially causing large realized losses if interpreted or executed without a separate user confirmation checkpoint.

Natural-Language Policy Violations

Medium
Confidence
92% confidence
Finding
The file is entirely in Russian while the surrounding skill metadata and analysis context are in English, with no language selection or locale restriction documented. In a trading skill that governs risk controls, this can cause operators or downstream agents to misunderstand or skip critical safety rules such as stop-loss, margin, and daily loss limits, increasing the chance of unsafe or unauthorized trading behavior.

Missing User Warnings

Medium
Confidence
98% confidence
Finding
Fetched account data is serialized and printed directly to stdout without redaction or any warning. In agent, CI, shared terminal, or logging environments, this can leak sensitive financial data into logs, transcripts, and observability systems where it may be retained or exposed to unauthorized parties.

Credential Access

High
Category
Privilege Escalation
Content
exit 1
    fi
fi
echo "✅ .env найден"

# Загрузить переменные
set -a; source "$SKILL_DIR/.env"; set +a
Confidence
91% confidence
Finding
.env

Credential Access

High
Category
Privilege Escalation
Content
TEST_RESULT=$(mcporter call my-n8n-mcp.Get_account_data 2>&1 || echo "FAILED")
if echo "$TEST_RESULT" | grep -q "error\|FAILED\|ECONNR"; then
    echo "❌ Не удалось подключиться к n8n MCP"
    echo "   Проверьте N8N_MCP_URL в .env"
    echo "   Ответ: $TEST_RESULT" | head -5
else
    echo "✅ Подключение успешно!"
Confidence
89% confidence
Finding
.env"

VirusTotal

66/66 vendors flagged this skill as clean.

View on VirusTotal