ClawHub

SnapTrade

Security checks across malware telemetry and agentic risk

Overview

This SnapTrade skill is disclosed as a portfolio tool, but it can also place real brokerage trades and run recurring financial reports without strong built-in safeguards.

Install only if you intend to grant this skill ongoing SnapTrade brokerage access and possible trade authority. For read-only reporting, remove or avoid the order and trade reconnect scripts, use read-only brokerage permissions where possible, protect the secrets file, and require explicit confirmation of account, symbol, side, quantity, order type, and price before any trade. Review any cron or WhatsApp automation before enabling it.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
  • MCP Least PrivilegeUnderdeclared Capability, Wildcard Permission, Missing Permission Declaration
  • MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
Findings (12)

Lp3

Medium
Category
MCP Least Privilege
Confidence
95% confidence
Finding
The skill exposes shell, file read/write, and environment-backed capabilities but does not declare permissions or scope them in the manifest. This weakens reviewability and user trust because a seemingly simple portfolio-reporting skill can access local secrets and execute commands, increasing the chance of unintended data exposure or misuse.

Tp4

High
Category
MCP Tool Poisoning
Confidence
99% confidence
Finding
The manifest presents the skill as brokerage connectivity and portfolio reporting, but the documentation includes live order placement, order monitoring, and trade-enabled reconnect flows. That mismatch is dangerous because users or automated policy systems may authorize a low-risk reporting skill while it can actually submit real trades with financial consequences.

Description-Behavior Mismatch

High
Confidence
98% confidence
Finding
The documented behavior goes beyond portfolio connectivity/reporting and adds buy/sell order placement and order watching. Hidden expansion from read/report actions to transactional brokerage actions materially increases risk because executing trades can cause direct financial loss.

Context-Inappropriate Capability

High
Confidence
98% confidence
Finding
Trade execution is not justified by the stated purpose of a portfolio connectivity/reporting skill. In this context, the capability is especially dangerous because users expecting read-only account linking and summaries may unknowingly enable irreversible market or limit orders.

Context-Inappropriate Capability

Medium
Confidence
87% confidence
Finding
Order-status monitoring is not as severe as trade submission, but it still reflects brokerage trading functionality outside the declared reporting scope. It can normalize or facilitate undisclosed trading operations and obscure the true risk profile of the skill.

Description-Behavior Mismatch

High
Confidence
98% confidence
Finding
This script places live buy/sell orders, which materially exceeds the skill's declared purpose of brokerage connectivity and portfolio reporting. In an agent context, hidden trading capability expands the action surface from read-oriented finance operations to irreversible account actions, creating a serious risk of unauthorized or unexpected trades.

Context-Inappropriate Capability

High
Confidence
98% confidence
Finding
The code directly invokes `place_force_order` using stored credentials even though the stated purpose is reporting and connectivity, not execution. Because financial trades can cause immediate monetary loss and are not easily reversible, unjustified execution capability is dangerous even if implemented without overtly malicious intent.

Description-Behavior Mismatch

Medium
Confidence
92% confidence
Finding
The script is described as generating a portfolio total, but it also performs state-changing operations by refreshing brokerage authorizations and waiting on account sync. That creates a scope mismatch: invoking a read/reporting skill can trigger external side effects, extra API activity, and unexpected updates on linked financial connections, which is risky in an agent setting where users may not expect or consent to mutation-like actions for a simple report.

Missing User Warnings

High
Confidence
97% confidence
Finding
The instructions support placing buy/sell orders with a default market order but provide no warning about irreversible execution, price slippage, or financial risk. In a brokerage context, unsafe defaults and absent risk disclosures can directly cause unintended trades and substantial monetary loss.

Missing User Warnings

Medium
Confidence
91% confidence
Finding
The workflow instructs sending portfolio totals through WhatsApp without warning that financial balances are sensitive data shared through a third-party messaging channel. This creates privacy and confidentiality risk, especially if messages are stored, synced across devices, or sent to the wrong recipient.

Missing User Warnings

High
Confidence
97% confidence
Finding
The script submits credential-backed live orders immediately from command-line arguments without any explicit warning, dry-run, or interactive confirmation step. In an automated agent workflow, this makes accidental, prompt-injected, or misrouted trade execution much more likely, with direct financial consequences for the user.

Missing User Warnings

Medium
Confidence
87% confidence
Finding
The code registers a SnapTrade user, extracts the returned user_secret, and persists it via save_config without any indication of secure storage, minimization, or user disclosure. Because this secret is later used to authenticate portal-link creation, compromise of the config store could allow unauthorized access to brokerage connectivity flows or continued API actions on behalf of the user.

VirusTotal

66/66 vendors flagged this skill as clean.

View on VirusTotal