ClawHub

Blave Quant Skill

Security checks across malware telemetry and agentic risk

Overview

This documentation-only crypto trading skill is not malware, but it needs Review because it covers live exchange trading, transfers, lending, automation examples, and mandatory broker/affiliate attribution.

Review carefully before installing. Use dedicated API keys with the minimum permissions needed, disable withdrawals, prefer read-only or testnet keys first, and do not deploy the cron, streaming, copy-trading, or auto-lending examples unless you add dry-run mode, explicit limits, monitoring, and emergency stop controls. Be aware that some exchange requests include broker or affiliate attribution for the publisher.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
  • Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
  • MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
Findings (44)

Context-Inappropriate Capability

Low
Confidence
79% confidence
Finding
The chart auto-send rule introduces outbound data transmission to an external notification channel that is not part of the declared core capability set. In a trading skill that can access balances, positions, analytics, and potentially sensitive charts, automatic sending increases the risk of unintended disclosure to third-party endpoints or misconfigured channels.

Context-Inappropriate Capability

Medium
Confidence
87% confidence
Finding
Truth Social post monitoring and translation is materially outside the declared market-data and exchange-trading scope, indicating scope creep into social-media monitoring. Unrelated capabilities can create unexpected data flows, broader permissions, and a larger attack surface, especially in a financial automation context where external signals may influence user decisions or downstream automations.

Description-Behavior Mismatch

Medium
Confidence
94% confidence
Finding
The manifest asserts an enforced per-action `CONFIRM` control for order, cancel, transfer, and funding operations, but this file is only declarative metadata and contains no mechanism that can technically guarantee or validate that behavior. In a high-risk crypto trading skill spanning multiple exchanges and money-moving actions, users or downstream systems may rely on a non-enforced safety promise and execute irreversible financial actions without the stated confirmation gate.

Description-Behavior Mismatch

Low
Confidence
94% confidence
Finding
The manifest asserts an enforced per-action `CONFIRM` control for order, cancel, transfer, and funding operations, but this file is only declarative metadata and contains no mechanism that can technically guarantee or validate that behavior. In a high-risk crypto trading skill spanning multiple exchanges and money-moving actions, users or downstream systems may rely on a non-enforced safety promise and execute irreversible financial actions without the stated confirmation gate.

Description-Behavior Mismatch

Low
Confidence
94% confidence
Finding
The skill embeds a third-party referral/registration link that is not necessary for executing BingX API operations and introduces an external monetization path into a high-trust trading workflow. In a skill that handles exchange credentials and trading actions, unrelated outbound links increase phishing, affiliate abuse, and social-engineering risk because users may infer the link is endorsed as operationally required.

Context-Inappropriate Capability

Medium
Confidence
98% confidence
Finding
The skill explicitly instructs the agent to attach a developer-controlled affiliate code to every order and funding action, causing user trades to generate fee attribution for the skill author without any user opt-in or necessity for core functionality. In a trading skill with direct order execution authority, hidden monetization tied to each transaction is a deceptive side effect and creates a conflict of interest.

Context-Inappropriate Capability

Medium
Confidence
89% confidence
Finding
The file includes authenticated affiliate and invited-user endpoints that expose referral, rebate, and invited-customer data that are not necessary for core futures trading or account management. In a trading skill, expanding scope to unrelated partner/customer data increases privacy exposure and broadens the blast radius if the skill is misused or over-permissioned.

Description-Behavior Mismatch

High
Confidence
98% confidence
Finding
The file documents BitMart isolated margin borrowing, trading, and repayment even though the declared BitMart scope is spot and futures. This expands the agent's effective capability into higher-risk leveraged activity, which can cause unauthorized borrowing, liquidation exposure, and user harm if invoked through mismatched policy or UI expectations.

Description-Behavior Mismatch

Medium
Confidence
87% confidence
Finding
The skill documentation explicitly classifies "withdraw" as a WRITE action, but the declared BitMart spot scope in the metadata only mentions buy/sell, balances, history, and transfers. This creates a scope mismatch that can mislead an agent or reviewer into believing the skill cannot move funds off-platform, when in fact the reference suggests support for a more dangerous irreversible action.

Intent-Code Divergence

Medium
Confidence
87% confidence
Finding
The file claims indicators are 'reference only' and not buy/sell signals, but later provides direct action-oriented guidance such as '做多/做空', '反向策略', and setup recommendations. In a skill that can place live trades across multiple exchanges, this contradiction can mislead downstream agents or users into treating educational content as executable trading advice, increasing the risk of unsafe or unauthorized financial actions.

Vague Triggers

Medium
Confidence
94% confidence
Finding
The skill declares very broad authority across multiple exchanges and trading modes, including direct order placement, leverage, transfers, lending, and position management, but does not define tight invocation boundaries, eligibility checks, or action gating. In an agent context, this increases the chance that ambiguous user requests or prompt-manipulated flows could trigger sensitive account actions on the wrong venue or with unintended parameters.

Missing User Warnings

High
Confidence
97% confidence
Finding
The file describes direct use of authenticated trading and account APIs for spot, futures, swaps, leverage, TP/SL, transfers, and funding without any prominent user-facing warning or required acknowledgment that these actions can move funds or create real-money exposure. In this context, the absence of explicit warnings and confirmation requirements is dangerous because the skill is designed to operate live exchange accounts, so mistaken or coerced invocations could immediately cause financial loss.

Missing User Warnings

Medium
Confidence
90% confidence
Finding
The example reads API credentials from environment data and sends them in HTTP headers, but the markdown does not prominently warn users that authenticated requests transmit secrets to a remote service. In a trading skill context, these credentials may grant access to sensitive account data or trading capabilities, so normalizing their casual use in sample code increases the risk of accidental misuse, leakage through logs, or use with overprivileged keys.

Missing User Warnings

Medium
Confidence
87% confidence
Finding
The example instructs users to load API credentials from environment-backed .env values and send them in authenticated requests, but it provides no warning about secret handling, least privilege, or avoiding hardcoding/logging. In a trading skill context with live exchange and account capabilities, this increases the chance that users mishandle high-value API keys, potentially leading to account compromise or unauthorized trading if the example is copied into unsafe workflows.

Missing User Warnings

Medium
Confidence
94% confidence
Finding
This example explicitly automates live account actions on Bitfinex, including cancelling existing funding offers and submitting new ones on a cron schedule, but does not present a prominent safety warning, dry-run mode, or confirmation requirement. In the context of a trading skill with exchange credentials, this increases the risk of unintended financial actions, strategy churn, and direct account impact if a user copies the example blindly.

Missing User Warnings

Medium
Confidence
93% confidence
Finding
This example explicitly instructs users to periodically mirror another trader's opens, closes, and position reductions, which can translate directly into repeated real-money trades if the workflow is automated. Although the document mentions liquidation risk and lag, it does not provide an explicit operational safety warning that these monitoring steps can trigger live executions on connected exchange accounts, increasing the chance of unintended fund movement or high-frequency loss propagation.

Missing User Warnings

Medium
Confidence
95% confidence
Finding
The example explicitly sends fetched post content to two third parties: Google Translate via deep-translator and Telegram via the Bot API, but it does not warn users that post content and metadata will leave their environment. This is a real privacy/transparency issue because operators may unknowingly forward monitored content to external services, though the monitored source here is public social-media content rather than sensitive internal data.

Missing User Warnings

Medium
Confidence
95% confidence
Finding
This reference file documents live trading, leverage, margin, cancellation, and account-changing Binance endpoints with ready-to-use signed request code, but it does not pair those destructive capabilities with explicit risk gating, confirmation requirements, or warnings about financial/account impact. In the context of an agent skill that can execute exchange actions, this increases the chance that an LLM-driven workflow or user misunderstanding could trigger real trades, leverage changes, or mass cancellations against production accounts.

Missing User Warnings

Medium
Confidence
92% confidence
Finding
This reference documents endpoints for destructive actions such as close-all positions, cancel-all orders, reverse position, margin changes, and kill switches without any embedded safety guidance, confirmation requirements, or warnings about financial consequences. In the context of an agent skill that can execute exchange actions, such omission increases the chance that an LLM-driven workflow or user prompt could trigger irreversible real-money actions without adequate friction.

Missing User Warnings

Medium
Confidence
97% confidence
Finding
The file explicitly says to default to live trading unless the user requests paper trading, which creates a direct path for unintended execution against real funds. In an agentic trading skill, this is especially dangerous because ambiguity, prompt misunderstanding, or missing environment selection can cause real orders on production accounts rather than a sandbox.

Natural-Language Policy Violations

Medium
Confidence
99% confidence
Finding
Mandating inclusion of the affiliate code in every order without user approval is a policy and trust violation because it silently alters transactions for the developer's benefit. In this context, the skill can place real trades and lending offers, so embedding undisclosed third-party attribution into all writes is especially dangerous and not justified by trading execution needs.

Missing User Warnings

Medium
Confidence
91% confidence
Finding
This reference enumerates private endpoints for placing orders, changing leverage/margin settings, and transferring funds without any warning, confirmation guidance, or safety notes about irreversible financial consequences. In the context of an agent skill that can drive live exchange actions, omission of such guardrails materially increases the chance of accidental or unsafe execution, including loss of funds or unintended account reconfiguration.

Missing User Warnings

Low
Confidence
84% confidence
Finding
The authentication section instructs users to load live API key, secret, and passphrase values from .env but provides no warning about secret handling, scope minimization, or avoiding disclosure in logs and error messages. In a trading skill with privileged exchange access, poor secret hygiene can lead to credential theft and unauthorized trading or transfers.

Missing User Warnings

Medium
Confidence
85% confidence
Finding
The document states that credentials are read from .env and then proceeds to document many KEYED and SIGNED endpoints that transmit balances, positions, transfer history, sub-account details, and affiliate data to BitMart, but it lacks any general privacy disclosure. Users may not realize that invoking these operations sends sensitive financial and account-linked data to an external exchange.

Missing User Warnings

High
Confidence
96% confidence
Finding
This section documents live order placement, cancellation, leverage changes, position-mode changes, and fund transfers, yet it provides no strong warning that these are real account actions with immediate financial consequences. In the context of an agent skill capable of brokerage actions, omission of explicit safety gating materially increases the risk of unintended trades, fund movement, or account-wide configuration changes.

VirusTotal

65/65 vendors flagged this skill as clean.

View on VirusTotal