ClawHub

Portfolio Trader

Security checks across malware telemetry and agentic risk

Overview

This skill appears legitimate but needs review because it can store brokerage secrets and place real buy/sell orders without strong built-in safeguards.

Install only if you intend to give the agent brokerage-account access and possible trading authority. Prefer read-only SnapTrade connections, protect the snaptrade.json secret file, do not run the order or trade reconnect scripts unless you explicitly approve the exact transaction, and avoid cron or WhatsApp reporting unless you have verified what data will be sent and how to disable it.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
  • MCP Least PrivilegeUnderdeclared Capability, Wildcard Permission, Missing Permission Declaration
  • MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
Findings (11)

Lp3

Medium
Category
MCP Least Privilege
Confidence
89% confidence
Finding
The skill documentation indicates capabilities to read/write local secret files, use shell commands, and access environment-like configuration, but the manifest does not declare corresponding permissions. This creates a transparency and policy gap: operators may invoke a skill with broader access than expected, increasing the chance of unintended secret exposure or unauthorized local actions.

Tp4

High
Category
MCP Tool Poisoning
Confidence
97% confidence
Finding
The stated purpose is account connectivity and portfolio reporting, but the documentation also includes live trade execution, order monitoring, and trading-enabled reconnect flows. This mismatch is dangerous because reviewers and users may authorize a reporting skill without realizing it can place real buy/sell orders affecting brokerage assets.

Description-Behavior Mismatch

High
Confidence
96% confidence
Finding
Within a skill framed as portfolio connectivity/reporting, the documentation introduces operational trading commands for buy/sell orders. In context, this materially increases danger because financial trades are irreversible or costly, and users may not expect a reporting-oriented skill to initiate market activity.

Context-Inappropriate Capability

High
Confidence
95% confidence
Finding
Trade placement is not justified by the declared use case of brokerage connectivity and portfolio summaries. Unnecessary high-risk functionality broadens the attack surface and makes accidental or unauthorized execution of financial transactions more plausible.

Description-Behavior Mismatch

Medium
Confidence
79% confidence
Finding
The documentation adds WhatsApp delivery of portfolio reports, which extends the skill beyond SnapTrade connectivity/reporting into third-party message transmission. This increases privacy risk because sensitive financial data may be sent through another service without being disclosed in the core skill description.

Description-Behavior Mismatch

High
Confidence
98% confidence
Finding
This script introduces direct trade execution capability in a skill whose stated purpose is brokerage connectivity and portfolio reporting. That scope expansion is dangerous because it enables real financial transactions using configured credentials, creating a materially different and higher-risk action surface than the manifest suggests.

Context-Inappropriate Capability

High
Confidence
99% confidence
Finding
The call to client.trading.place_force_order performs actual securities trades, which is unjustified for a portfolio-reporting/connectivity skill and creates a high-risk mismatch between expected and actual behavior. In this context, a user or downstream agent could invoke the script expecting read-only operations but instead trigger irreversible financial actions.

Missing User Warnings

High
Confidence
94% confidence
Finding
The markdown instructs users to place market and limit orders but does not provide an explicit warning that these are live trades with potentially irreversible financial consequences. In a financial context, omission of such warnings can lead to accidental transactions, losses, or misuse by an automation layer that treats the command as routine.

Missing User Warnings

Medium
Confidence
87% confidence
Finding
Scheduling portfolio reports to be sent over WhatsApp lacks a privacy warning despite involving sensitive financial information and a third-party messaging platform. This can expose account value data to unintended recipients, compromise confidentiality, or violate user expectations around financial-data handling.

Missing User Warnings

High
Confidence
97% confidence
Finding
The script submits a live buy/sell order immediately based on CLI arguments, with no explicit warning, no confirmation step, and no secondary validation before the destructive action occurs. Because market and limit orders can have real financial consequences and may be difficult or impossible to reverse once filled, this absence of confirmation is a serious safety flaw.

Missing User Warnings

Medium
Confidence
89% confidence
Finding
The code stores the SnapTrade user_secret in persistent configuration via save_config(cfg) without any indication of encryption, access controls, or user disclosure. If that config file is readable by other local users, backed up insecurely, or exposed through logs/support bundles, the secret could be reused to authenticate as the SnapTrade user and generate portal sessions or otherwise access linked brokerage functionality.

VirusTotal

65/65 vendors flagged this skill as clean.

View on VirusTotal