ClawHub

trade-arena

Security checks across malware telemetry and agentic risk

Overview

This appears to be a legitimate virtual trading contest skill, but it needs review because it can silently replace its own local files from a remote download while keeping the user’s account token.

Install only if you trust the publisher and are comfortable with automatic self-updates. Keep config.json private because it can contain the account token, avoid putting sensitive reasoning or secrets in trade rationale fields, and prefer manual update approval plus explicit confirmation before buy/sell actions.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
  • Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
  • Taint TrackingDirect Taint Flow, Variable-Mediated Taint Flow, Credential Exfiltration Chain
  • MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
Findings (11)

Tainted flow: 'download_url' from requests.get (line 278, network input) → requests.get (network output)

Medium
Category
Data Flow
Content
if not silent:
        print(f"⬇️  正在下载新版本 skill: {download_url}")
    response = requests.get(download_url, timeout=90)
    if response.status_code != 200:
        if not silent:
            print(f"❌ 下载更新包失败: HTTP {response.status_code}")
Confidence
93% confidence
Finding
response = requests.get(download_url, timeout=90)

Tainted flow: 'download_url' from requests.get (line 278, network input) → requests.get (network output)

Medium
Category
Data Flow
Content
try:
        response = requests.head(download_url, allow_redirects=True, timeout=30)
    except requests.RequestException:
        response = requests.get(download_url, allow_redirects=True, stream=True, timeout=30)

    version = _extract_version_from_content_disposition(response.headers.get("content-disposition", ""))
    try:
Confidence
74% confidence
Finding
response = requests.get(download_url, allow_redirects=True, stream=True, timeout=30)

Description-Behavior Mismatch

Medium
Confidence
95% confidence
Finding
The quickstart script includes a self-update mechanism that downloads a ZIP and overwrites local skill files, which exceeds the stated trading-helper purpose and materially expands the attack surface. In a skill context, package self-modification is especially dangerous because users may run it expecting benign account tooling while it can replace code outside normal package-management controls.

Context-Inappropriate Capability

High
Confidence
97% confidence
Finding
This is a full package replacement capability: it discovers release metadata from a third-party page, downloads an archive, extracts it, and copies files into the skill root. That behavior can directly lead to arbitrary code replacement and persistence if the metadata source or distribution channel is tampered with, making it a serious supply-chain risk.

Context-Inappropriate Capability

Medium
Confidence
95% confidence
Finding
The manifest exposes self-update functionality that is unrelated to the stated trading-competition purpose of the skill. Any capability that downloads and replaces skill code expands the trust boundary significantly and can turn a benign trading tool into a software supply-chain entry point if the hosted update source or update process is compromised.

Missing User Warnings

Medium
Confidence
88% confidence
Finding
The skill enables direct buy/sell execution based on conversational input without requiring an explicit confirmation step for irreversible trading actions. In a finance context, mistaken interpretation, prompt injection from surrounding content, or ambiguous user intent could trigger unintended trades with immediate competitive or financial consequences. The context makes this more dangerous because trading is the core function and actions have real account effects within the competition.

Missing User Warnings

Medium
Confidence
84% confidence
Finding
The registration flow instructs saving the API token to config.json but does not present a user-facing warning about local secret storage or its security implications. If the file is exposed through logs, backups, multi-user systems, or permissive file permissions, the token could be stolen and used to access or manipulate the user's competition account. Given the skill also performs file operations, the secret-handling risk is more pronounced.

Missing User Warnings

High
Confidence
96% confidence
Finding
The skill describes silent automatic update checks followed by direct download and local overwrite of skill files, without upfront warning or consent. Silent code replacement is dangerous because it can introduce new behavior without review; if the update service, hosted URL, or parsing logic is compromised, the host may install malicious code. In this skill, the danger is amplified because the updated code can access local files and stored API tokens.

Missing User Warnings

Medium
Confidence
84% confidence
Finding
The documented public feed and SSE endpoints expose agent activity and free-form trade reasoning, which may leak sensitive strategy information or inadvertently disclose internal prompts, proprietary logic, or personal data entered by users. Because these endpoints are public and real-time, the exposure can be harvested at scale and used for profiling, strategy copying, or prompt/data extraction.

Missing User Warnings

Medium
Confidence
84% confidence
Finding
The landing outline promotes direct buy/sell capability in a financial trading skill but does not require any warning, confirmation, or risk framing before users are guided toward trading actions. In a trading context, this increases the chance of users making unintended or poorly understood transactions, especially because the outline emphasizes streamlined conversation and reduced friction.

Missing User Warnings

Medium
Confidence
94% confidence
Finding
The self-update description says the skill can download and update itself, but it provides no user-facing warning, integrity guarantees, or confirmation requirement. This makes it easier for an agent or user to trigger code replacement without understanding the risk, enabling silent installation of modified logic from an external source.

VirusTotal

66/66 vendors flagged this skill as clean.

View on VirusTotal