ClawHub

Aster-Skill

Security checks across malware telemetry and agentic risk

Overview

This is a disclosed crypto trading automation skill, but it can place live leveraged market orders on a schedule without clear user approval or safe default controls.

Only install this if you intentionally want an automated live crypto trading bot. Use restricted exchange API keys with withdrawals disabled, limit account balance and position size, verify the Aster/OpenNews dependencies and entry file, and do not enable scheduled live trading unless you accept that orders may be placed without manual confirmation.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
  • Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
Findings (5)

Missing User Warnings

High
Confidence
95% confidence
Finding
The skill explicitly describes automated leveraged market-order trading with stop-loss/take-profit, but provides no user-facing warning, approval gate, or discussion of account and liquidation risk. In this context, the absence of risk disclosure is dangerous because the skill can directly trigger real financial actions based on noisy news/LLM classification, increasing the chance of rapid losses or unintended trades.

Missing User Warnings

High
Confidence
98% confidence
Finding
The skill places live leveraged MARKET orders automatically based on model output, with no user confirmation, approval workflow, dry-run mode, or explicit risk acknowledgment. In this context, the code is directly connected to a trading API and can open positions on real funds, so model mistakes, bad data, or manipulated inputs can immediately cause financial loss.

Missing User Warnings

High
Confidence
98% confidence
Finding
The skill explicitly states it will classify crypto news and place long/short orders on a recurring 5-minute schedule, but the description does not warn users that it can autonomously execute real financial trades. In this context, omission of a prominent warning is dangerous because users may install or enable the skill without appreciating the frequency, automation, market risk, and potential for rapid losses from incorrect signals or malformed configuration.

Ssd 4

High
Confidence
99% confidence
Finding
Untrusted external news content is inserted into the LLM prompt and the resulting output is used to drive real trading decisions, creating a direct data-to-action path with no trust boundary. An attacker who can influence article content, tweets, or metadata could shape the model's sentiment classification and trigger harmful trades, especially because the downstream action is automated leveraged execution.

Ssd 1

Medium
Confidence
96% confidence
Finding
The prompt asks the model to analyze arbitrary news text but does not explicitly instruct it to ignore embedded instructions, roleplay, tool requests, or adversarial content inside the articles. Because the model output governs trading decisions, semantic prompt injection in fetched news can bias sentiment, confidence, or recommended_action and indirectly manipulate execution.

VirusTotal

66/66 vendors flagged this skill as clean.

View on VirusTotal