xaut-trade

Security checks across static analysis, malware telemetry, and agentic risk

Overview

This is a disclosed crypto-trading skill, but it can sign and submit real on-chain transactions and its default policy permits small trades without a blocking confirmation.

Install only if you want an AI agent to help operate a real crypto wallet. Use a dedicated low-balance wallet, require explicit confirmation for every on-chain write, verify setup scripts and remote installers before running them, and disable or review delegated trading skills you do not intend to use.

Static analysis

Dangerous exec

Critical

Finding: Shell command execution detected (child_process).

Dangerous exec

Critical

Finding: Shell command execution detected (child_process).

Env credential access

Critical

Finding: Environment variable access combined with network send.

Env credential access

Critical

Finding: Environment variable access combined with network send.

Exposed secret literal

Critical

Finding: File appears to expose a hardcoded API secret or token.

Exposed secret literal

Critical

Finding: File appears to expose a hardcoded API secret or token.

Exposed secret literal

Critical

Finding: File appears to expose a hardcoded API secret or token.

Secret argv exposure

Critical

Finding: Instructions pass high-value credentials through process argv.

VirusTotal

VirusTotal findings are pending for this skill version.

View on VirusTotal

Risk analysis

Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.

ASI02: Tool Misuse and Exploitation

Medium

What this means

A small trade can spend funds and gas if the agent interprets the user's request as executable, even if the user expected a final confirmation step.

Why it was flagged

This explicitly allows a real on-chain swap below the configured threshold to proceed after a preview without waiting for a fresh user confirmation.

Skill content

- `< risk.confirm_trade_usd`: show full preview, then execute without blocking confirmation

Recommendation

Require explicit confirmation for every approve, swap, and cancel action; set `confirm_trade_usd` to 0 and `approve_confirmation_mode` to `always` if you install it.

ASI03: Identity and Privilege Abuse

High

What this means

If configured with a funded wallet, the skill can authorize blockchain approvals, swaps, limit orders, and cancellations involving real assets.

Why it was flagged

The skill clearly discloses that wallet access and signing authority are central to its operation.

Skill content

**By design**: this skill executes on-chain financial transactions ... Direct wallet access and transaction signing are core capabilities

Recommendation

Use a dedicated low-balance wallet, keep seed phrases out of chat, protect password files, and review every transaction before allowing execution.

ASI04: Agentic Supply Chain Vulnerabilities

Medium

What this means

Running the installer gives remote setup code access to the local machine.

Why it was flagged

The Foundry setup path downloads and executes a remote installer, which is disclosed and optional for Foundry mode but still requires trust in the upstream installer.

Skill content

curl -L https://foundry.paradigm.xyz | bash && ... foundryup

Recommendation

Prefer WDK mode if you do not need Foundry, or download and inspect the Foundry installer before running it.

ASI05: Unexpected Code Execution

Medium

What this means

If the resolved path is not the installed skill's script, the agent could run unintended local shell code.

Why it was flagged

The automated setup instructions can locate and execute a setup.sh from the user's home directory; this is intended setup behavior, but the path should be verified before execution.

Skill content

find "$HOME" -maxdepth 6 -type f -path "*/xaut-trade/scripts/setup.sh" ... && bash "$SETUP_PATH"

Recommendation

Have the agent print the resolved setup path first, confirm it is inside the installed xaut-trade skill directory, and inspect the script before running it.

ASI07: Insecure Inter-Agent Communication

Low

What this means

Requests about betting, perps, leverage, or other markets may be handed to separate skills with their own permissions and risks.

Why it was flagged

The skill may route non-XAUT financial intents to other skills, expanding the effective trust boundary beyond this package.

Skill content

Delegates non-XAUT intents to registered skills (e.g. Polymarket prediction markets, Hyperliquid trading).

Recommendation

Verify which delegate skills are installed and ensure they also require explicit confirmation before any financial action.