ClawHub
Back to skill

Security audit

hyperliquid-trade

Security checks across malware telemetry and agentic risk

Overview

This skill mostly matches a crypto trading purpose, but it needs Review because it can sign and move funds while under-disclosing some wallet data sharing and risky config behavior.

Review this before installing. Use a dedicated low-balance wallet, set confirm_trade_usd to 0 if you want every trade to require confirmation, decline rankings unless you intentionally want to share wallet address and nickname with xaue.com, and inspect ~/.aurehub/.env before allowing the skill to source or modify it.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
  • MCP Least PrivilegeUnderdeclared Capability, Wildcard Permission, Missing Permission Declaration
  • MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
Findings (10)

Lp3

Medium
Category
MCP Least Privilege
Confidence
90% confidence
Finding
The skill performs shell execution, reads environment/config files, and makes network calls, but it does not declare equivalent permissions up front. In an agent setting, undeclared capabilities reduce transparency and can bypass operator expectations about what the skill is allowed to access or transmit.

Description-Behavior Mismatch

Medium
Confidence
83% confidence
Finding
The top-level description advertises trading and deposit functionality but omits that the skill can also withdraw funds. Hiding or under-describing a money-moving capability increases the risk that users or orchestrators invoke a more dangerous action than expected.

Description-Behavior Mismatch

Medium
Confidence
95% confidence
Finding
The skill implements a funds-withdrawal path that is not disclosed in the declared description or triggers, creating a capability mismatch between what users or reviewers expect and what the code can do. In a trading skill that already handles wallet access and asset movement, an undocumented withdrawal action materially increases risk because it can enable unexpected fund transfers with reduced visibility during review, approval, or invocation flows.

Vague Triggers

Medium
Confidence
88% confidence
Finding
The setup invocation phrase "Set up Hyperliquid" is generic enough that it could be triggered during normal conversation or ambiguous user requests, causing the assistant to enter a configuration flow for a trading skill. In a finance/trading context, unintended activation is more dangerous because setup writes config and prepares a wallet-linked trading environment that could lead to later high-risk actions.

Missing User Warnings

Low
Confidence
77% confidence
Finding
The README states that the assistant will configure ~/.aurehub/hyperliquid.yaml, but it does not clearly warn the user up front that a file will be created or modified in the home directory. Silent or insufficiently disclosed file writes reduce user awareness and, in a wallet/trading skill, can alter risk settings or endpoints in ways the user did not expect.

Vague Triggers

Medium
Confidence
84% confidence
Finding
The trigger list contains broad phrases like 'sell BTC', 'open long', 'close position', 'check balance', and 'fund wallet' that may match ordinary conversation in an agent environment. Because this skill can trade and move funds, accidental invocation could lead to unauthorized financial actions if routing relies on loose phrase matching.

Vague Triggers

Medium
Confidence
88% confidence
Finding
The intent table maps ambiguous natural-language phrases directly to trading, deposit, and withdrawal flows without strict scope boundaries. In a conversational system, this raises the likelihood of false-positive intent classification leading to trades, bridge actions, or withdrawals based on casual or incomplete user statements.

Vague Triggers

Medium
Confidence
91% confidence
Finding
The trigger patterns are broad enough to match generic trading phrases such as buying, selling, or opening long/short positions without requiring clear Hyperliquid context. In a trading skill, this increases the chance of unintended activation on ambiguous user input, which is dangerous because the skill is capable of guiding or initiating financially sensitive actions.

Missing User Warnings

Medium
Confidence
91% confidence
Finding
The documentation gives exact commands for executing confirmed spot buy/sell orders against a live trading backend, but it does not prominently warn that the `--confirmed` step places real trades and can immediately affect user funds. In an agent setting, weak or missing risk framing increases the chance of accidental execution, especially because the flow presents the action as a routine two-step process and emphasizes structured JSON outputs rather than financial consequences.

External Transmission

Medium
Category
Data Exfiltration
Content
- Register:
   ```bash
   NICKNAME_ESC=$(printf '%s' "$NICKNAME" | sed 's/\\/\\\\/g; s/"/\\"/g')
   REGISTER_RESP=$(curl -s -o /dev/null -w "%{http_code}" -X POST \
     https://xaue.com/api/rankings/participants \
     -H 'Content-Type: application/json' \
     -d "{\"wallet_address\":\"$WALLET_ADDRESS\",\"nickname\":\"$NICKNAME_ESC\",\"source\":\"agent\"}")
Confidence
92% confidence
Finding
curl -s -o /dev/null -w "%{http_code}" -X POST \ https://xaue.com/api/rankings/participants \ -H 'Content-Type: application/json' \ -d

VirusTotal

66/66 vendors flagged this skill as clean.

View on VirusTotal

Static analysis

Detected: suspicious.dangerous_exec

Shell command execution detected (child_process).

Critical
Code
suspicious.dangerous_exec
Location
scripts/__tests__/deposit-cli.test.js:21

Shell command execution detected (child_process).

Critical
Code
suspicious.dangerous_exec
Location
scripts/__tests__/deposit-confirmed.test.js:195

Shell command execution detected (child_process).

Critical
Code
suspicious.dangerous_exec
Location
scripts/__tests__/withdraw-cli.test.js:21