ClawHub

DEX Agent

Security checks across malware telemetry and agentic risk

Overview

This DeFi trading skill matches its stated purpose, but it handles real funds with under-disclosed risks, including plaintext private-key storage and automatic live sell execution from the monitor command.

Review carefully before installing. Use only a fresh low-balance wallet, assume the private key is stored recoverably on disk, test with tiny amounts, revoke router approvals when done, and do not run monitor against funded positions unless you intend it to execute live sales automatically.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
  • Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
Findings (6)

Intent-Code Divergence

Medium
Confidence
94% confidence
Finding
The ETH swap path appears functionally inconsistent: it sets tokenIn to WETH in exactInputSingle while also attaching native ETH as transaction value, but there is no explicit wrapping step or router method specialized for native ETH input. This can cause failed swaps, stuck user expectations, or accidental misrouting of funds depending on router behavior and configuration, which is especially risky in a script that directly signs and broadcasts transactions.

Intent-Code Divergence

High
Confidence
99% confidence
Finding
The module claims private keys are stored encrypted locally, but the implementation writes the raw private key directly into a JSON file. This creates a clear mismatch between documented security guarantees and actual behavior, increasing the chance users will trust the tool with real funds while their key remains trivially recoverable by local malware, other users, backups, or accidental disclosure.

Intent-Code Divergence

Medium
Confidence
84% confidence
Finding
The code makes strong security assurances in the docstring but does not implement protections consistent with those claims beyond writing a local file and setting file permissions. Even if the key is not explicitly transmitted here, the misleading assurances can cause unsafe operational decisions and conceal the absence of real secret-management controls.

Missing User Warnings

Medium
Confidence
90% confidence
Finding
The README actively instructs users to generate wallets, fund them, execute swaps, and place stop-loss/take-profit orders on a live chain, but it does not clearly warn that these are real on-chain transactions with irreversible financial consequences. In a trading skill, this omission increases the chance that users misunderstand the environment as simulated or low-risk, potentially leading to unintended asset loss, gas expenditure, or execution of trades with real funds.

Missing User Warnings

High
Confidence
96% confidence
Finding
The monitor command automatically executes token sales for any triggered orders without requiring fresh user confirmation at execution time. In a trading agent connected to a real wallet, this can cause unintended or manipulated asset liquidation if price feeds, stored orders, or trigger logic are wrong, stale, or tampered with.

Missing User Warnings

Medium
Confidence
97% confidence
Finding
The function persists the private key to disk in plaintext and does not clearly warn the user that the secret is being stored locally in recoverable form. In the context of a trading wallet, this is especially dangerous because compromise of the file immediately enables theft of on-chain assets without additional barriers.

VirusTotal

66/66 vendors flagged this skill as clean.

View on VirusTotal