ClawHub

Web3 Trader

Security checks across malware telemetry and agentic risk

Overview

This crypto trading skill has real swap functionality, but its documentation overstates high-risk automated trading features and is inconsistent about wallet confirmation and private-key handling.

Install only after reviewing the exact trade flow you intend to use. Treat hosted preview links, QR codes, wallet addresses, and trade parameters as sensitive; verify every wallet prompt manually. Do not rely on the advertised Hyperliquid/agent-wallet risk controls unless the missing implementation files are supplied and audited, and do not place trading private keys in ordinary environment variables without proper secret management and strict limits.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
  • Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
  • MCP Least PrivilegeUnderdeclared Capability, Wildcard Permission, Missing Permission Declaration
  • MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
Findings (11)

Lp3

Medium
Category
MCP Least Privilege
Confidence
89% confidence
Finding
The skill declares no explicit permissions while its documented behavior clearly requires network access, filesystem writes, shell execution, and environment variable use. This undermines policy enforcement and user/operator review, especially for a trading skill that can generate transactions and handle wallet-related workflows.

Tp4

High
Category
MCP Tool Poisoning
Confidence
92% confidence
Finding
The skill advertises advanced trading, Hyperliquid, perpetuals, risk controls, and agent-wallet features that the analyzed content does not substantiate. In a financial-trading context, capability overstatement is dangerous because users and orchestrators may rely on nonexistent safeguards such as balance prechecks, confirmation tiers, or reduced custody exposure.

Intent-Code Divergence

High
Confidence
95% confidence
Finding
The document states that the hosted swap page may automatically trigger wallet transactions in an embedded wallet browser, while the changelog later says auto-execution was removed. Contradictory instructions around transaction initiation are dangerous in a wallet workflow because they can cause unsafe agent behavior, unexpected signing prompts, or normalization of clickless transaction flows.

Intent-Code Divergence

Medium
Confidence
87% confidence
Finding
The architecture diagram still depicts `eth_sendTransaction` being initiated from the hosted page, which conflicts with the stated removal of auto-execution. Even if only documentary, this can mislead implementers into rebuilding or preserving unsafe auto-signing patterns in a highly sensitive financial context.

Description-Behavior Mismatch

Medium
Confidence
85% confidence
Finding
The documentation routes users through a server-hosted preview page before wallet signing, which expands the trust boundary beyond a pure local-wallet flow. In a trading skill, that intermediary page could present altered transaction details, phishing content, tracking, or chain/asset mismatches while still claiming 'zero-custody,' creating a meaningful integrity and social-engineering risk even if private keys remain in the wallet.

Context-Inappropriate Capability

Low
Confidence
69% confidence
Finding
The instructions create a QR image under /tmp and then copy it into the agent workspace, introducing unnecessary local persistence for user transaction links. While not severe by itself, in an agent environment this can leak sensitive workflow artifacts, expose preview URLs to other processes or logs, and broaden filesystem access beyond what is required for quoting a trade.

Vague Triggers

Medium
Confidence
88% confidence
Finding
The activation keyword list is extremely broad and includes common trading and finance terms without clear boundaries. For a skill that can construct transactions and guide wallet actions, overbroad triggering increases the chance of accidental invocation during casual conversation, causing confusing or risky financial prompts.

Missing User Warnings

Medium
Confidence
84% confidence
Finding
The fallback flow uploads a generated swap page containing transaction-related data to a third-party hosting service without a clear disclosure of what data is exposed, how long it persists, or who can access it. In a crypto-trading context, even wallet addresses, trade parameters, and preview links can reveal sensitive financial intent and create phishing or privacy risks.

Missing User Warnings

Medium
Confidence
90% confidence
Finding
The skill instructs operators to place an Agent Wallet private key in environment variables without prominent guidance on secret storage, rotation, least privilege, or host hardening. Because this key can authorize trading activity, compromise of the runtime or logs could enable unauthorized orders and financial loss even if withdrawals are restricted.

Missing User Warnings

Medium
Confidence
95% confidence
Finding
The instructions explicitly upload a generated swap page to a public third-party file-hosting service and then distribute its URL via QR code. In a Web3 trading context, that page may contain wallet addresses, trade parameters, metadata, or integration details, so publishing it externally can leak sensitive transaction information, expose users to tracking or tampering risk, and create an unnecessary dependency on an untrusted host.

Missing User Warnings

Low
Confidence
77% confidence
Finding
The QR-generation guidance omits user-facing warnings that a local file will be created, copied, and later deleted, which weakens transparency and safe handling expectations. In the context of a financial trading skill, undisclosed local artifact creation is more concerning because the QR embeds a transaction-related URL that may reveal trading intent or become a phishing pivot if accessed by other components.

VirusTotal

67/67 vendors flagged this skill as clean.

View on VirusTotal