ClawHub

Kraken Exchange

Security checks across malware telemetry and agentic risk

Overview

This Kraken skill is transparent about its purpose, but it gives an agent high-impact control over real crypto funds and stores powerful exchange credentials in a way users should review carefully.

Install only if you intentionally want an agent-connected Kraken integration. Prefer read-only API keys for prices, balances, and history; enable trading, transfer, futures, earn, or withdrawal permissions only for deliberate live use. Verify the tentactl binary source, protect or avoid ~/.tentactl.env, review any cron automation carefully, and require explicit confirmation before any order, cancellation, transfer, allocation, or withdrawal.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
  • Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
  • Taint TrackingDirect Taint Flow, Variable-Mediated Taint Flow, Credential Exfiltration Chain
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
Findings (8)

Tainted flow: 'binary' from os.environ.get (line 8, credential/environment) → subprocess.Popen (code execution)

Medium
Category
Data Flow
Content
notif = json.dumps({"jsonrpc":"2.0","method":"notifications/initialized"})
call = json.dumps({"jsonrpc":"2.0","id":1,"method":"tools/call","params":{"name":tool,"arguments":args}})

proc = subprocess.Popen([binary], stdin=subprocess.PIPE, stdout=subprocess.PIPE, stderr=subprocess.DEVNULL, text=True)
proc.stdin.write(init + "\n" + notif + "\n" + call + "\n")
proc.stdin.flush()
Confidence
96% confidence
Finding
proc = subprocess.Popen([binary], stdin=subprocess.PIPE, stdout=subprocess.PIPE, stderr=subprocess.DEVNULL, text=True)

Vague Triggers

Medium
Confidence
83% confidence
Finding
The trigger description is very broad, covering generic mentions of crypto trading and portfolio management. That can cause the skill to activate in conversations where Kraken access is unnecessary, increasing the chance of exposing financial data, requesting credentials, or invoking trading-related tools in the wrong context.

Missing User Warnings

Medium
Confidence
91% confidence
Finding
`wf_batch_order` is explicitly marked as REAL MONEY and can send, cancel, or edit multiple futures orders in one call, but its description does not require an explicit user confirmation step. In a trading skill, missing a confirmation safeguard materially increases the chance of accidental or prompt-injected execution of high-impact financial actions affecting live funds and positions.

Missing User Warnings

Medium
Confidence
89% confidence
Finding
`wf_cancel_order` performs a real-money destructive action by cancelling futures orders, yet the warning only says 'Confirm with user before calling' in prose and may not be enforced consistently like other tools; the static finding is reasonable because cancellation can directly disrupt trading strategy and risk management. In this skill context, order cancellation is operationally sensitive and can cause real financial loss even without direct fund withdrawal.

Missing User Warnings

Medium
Confidence
93% confidence
Finding
The script retrieves Kraken API credentials and persists them in plaintext to a local file under the user's home directory. Although it applies restrictive file permissions, there is no explicit warning that the secrets will be stored on disk, which increases the risk of accidental exposure through backups, shell workflows, endpoint compromise, or later misuse by other local processes.

Missing User Warnings

Medium
Confidence
95% confidence
Finding
In the manual-entry flow, the user is prompted to type highly sensitive API credentials and the script silently writes them to ~/.tentactl.env. Even with chmod 600, this creates a plaintext at-rest secret that may be copied into backups, harvested by malware, or remain longer than the user expects because the persistence behavior is not prominently disclosed at input time.

Credential Access

High
Category
Privilege Escalation
Content
},
        "privacy":
          {
            "files_written": ["~/.tentactl.env"],
            "network": ["api.kraken.com", "futures.kraken.com", "ws.kraken.com", "futures.kraken.com/ws/v1"],
            "notes": "API keys are stored in ~/.tentactl.env (chmod 600). Market data endpoints require no authentication. Account and trading endpoints require KRAKEN_API_KEY and KRAKEN_API_SECRET.",
          },
Confidence
88% confidence
Finding
.env"

Credential Access

High
Category
Privilege Escalation
Content
{
            "files_written": ["~/.tentactl.env"],
            "network": ["api.kraken.com", "futures.kraken.com", "ws.kraken.com", "futures.kraken.com/ws/v1"],
            "notes": "API keys are stored in ~/.tentactl.env (chmod 600). Market data endpoints require no authentication. Account and trading endpoints require KRAKEN_API_KEY and KRAKEN_API_SECRET.",
          },
      },
  }
Confidence
86% confidence
Finding
.env

VirusTotal

64/64 vendors flagged this skill as clean.

View on VirusTotal