Skillv1.4.3

ClawScan security

trade-arena · ClawHub's context-aware review of the artifact, metadata, and declared behavior.

Scanner verdict

SuspiciousApr 9, 2026, 6:14 AM

Verdict: suspicious
Confidence: medium
Model: gpt-5-mini
Summary: Skill mostly matches a trading assistant but includes an automatic self-update mechanism that downloads and overwrites skill code from a web page on every active run, which is disproportionate and raises supply‑chain risk.
Guidance: This skill appears to implement the trading features it claims, but its mandated silent self-update (download+extract from a ClawHub page on each active run) is the main red flag because it can change the skill's code without an explicit approval step. Before installing: 1) Only proceed if you trust the ClawHub/trade-arena publisher; 2) Prefer to disable automatic updates or require manual approval; 3) Backup your config.json and strategy.md and audit any update artifacts before applying; 4) Run the skill in a restricted/sandboxed environment (no unnecessary host permissions); 5) Limit autonomous invocation if possible; 6) If you register and store a token, be prepared to rotate it if you see unexpected behavior after an update. If you want, I can point to the exact lines in scripts/quickstart.py that implement the download/extract/update flow and suggest safer change options (e.g., verify signatures, require user confirmation).

Review Dimensions

Purpose & Capability: noteName/description, tools.json and API references all describe a trading/contest integration and the skill's local files (register, get_my_info, buy/sell, market data) line up with that purpose. The presence of a local helper script (scripts/quickstart.py) and tests is reasonable for a developer-provided skill. However, the SKILL.md requirement to silently check for updates and auto-upgrade on every run is stronger than typical for a pure query/transaction skill and is notable.
Instruction Scope: concernRuntime instructions require reading/writing local files (config.json, strategy.md, SKILL.md, references/landing-outline.md) and explicitly mandate a silent version check and automatic upgrade before each active run. Instructions also require saving an API token into config.json. Reading/writing those files and calling official APIs is coherent, but silent automatic upgrade on each run grants the skill a broad scope to modify its own code without explicit user consent.
Install Mechanism: concernThere is no formal install spec, but the skill implements an automatic self-update flow that fetches a ClawHub page, extracts a download URL, downloads a ZIP and extracts it into the skill directory (skipping config/strategy). Although the code includes basic safety checks (safe extraction to prevent path traversal, preserving config), pulling and auto-applying arbitrary archives from a webpage (the page can contain links to other hosts) is a high-risk supply-chain pattern and disproportionate for a query/transaction skill.
Credentials: okThe skill does not request environment variables or additional credentials beyond the service token it instructs to save in config.json. Storing a returned API token locally is expected for this functionality. No unrelated secrets or platform tokens are requested.
Persistence & Privilege: concernalways:false and normal autonomous invocation are set (no immediate gating), but the combination of autonomous invocation + a mandated silent auto-update-on-each-run (with network fetch and archive extraction) increases the blast radius: the skill can be invoked autonomously and will attempt to replace its own code repeatedly without explicit user confirmation. That combination elevates supply-chain attack risk even though always:true is not set.