ClawHub

XAUUSD

Security checks across malware telemetry and agentic risk

Overview

This is a disclosed automated metals trading skill, but it needs Review because unauthenticated mode control and weak live-trading safeguards can affect a real broker account.

Install only after treating this as software that can trade real funds. Start with demo or paper credentials and Advisory mode, protect the .env file, restrict the WebSocket service to trusted local access or remove its command handling, and do not enable Semi-Automated or Fully-Automated modes until the buy/sell order bug, simulated-price fallback, and live execution approvals are fixed.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
  • MCP Least PrivilegeUnderdeclared Capability, Wildcard Permission, Missing Permission Declaration
  • MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
Findings (10)

Lp3

Medium
Category
MCP Least Privilege
Confidence
88% confidence
Finding
The skill requires sensitive environment-based secrets such as broker, messaging, and API tokens, yet the metadata does not declare corresponding permissions/capabilities. This creates a transparency and governance gap: an operator may install the skill without realizing it can access credentials and use them to place trades, send messages, or reach third-party services.

Tp4

High
Category
MCP Tool Poisoning
Confidence
95% confidence
Finding
The documented behavior materially exceeds the declared purpose: beyond analysis, the skill can execute trades, expose a WebSocket interface, accept inbound mode changes, write persistent state, and send outbound alerts. This mismatch is dangerous because reviewers and users may underestimate the operational and security impact, especially in a financial automation context where unauthorized mode changes or hidden integrations can cause monetary loss and data exposure.

Intent-Code Divergence

Medium
Confidence
95% confidence
Finding
The code silently falls back to `_getSimulatedPrice()` in `poll()` whenever no live quote is available, then publishes those values through the same event channels as real market data. In an automated trading OS, this can cause downstream strategy or execution components to act on fabricated prices without any hard failure, explicit flagging, or operator approval, creating a serious integrity risk.

Intent-Code Divergence

High
Confidence
99% confidence
Finding
The function accepts a direction parameter and even computes an actionType, but it always calls createMarketBuyOrder regardless of whether the caller requested a long or short trade. In an automated trading system, this can invert intended market exposure, causing unintended live positions, broken risk controls, and potentially substantial financial loss.

Context-Inappropriate Capability

Medium
Confidence
96% confidence
Finding
The WebSocket endpoint is described and implemented primarily as a dashboard broadcaster, but it also accepts unauthenticated client messages that invoke bus.setMode(cmd.mode). Any party able to connect to the socket can potentially alter the trading system's runtime mode, turning a read-only monitoring channel into a control plane with no authorization, validation, or audit protections.

Intent-Code Divergence

Medium
Confidence
88% confidence
Finding
The mismatch between the module's stated purpose as a passive broadcaster and its actual behavior as a control-capable interface increases the likelihood that reviewers and operators will under-secure it. In a trading OS context, hidden control functionality on a dashboard socket can enable unauthorized operational changes while evading expected threat modeling and deployment hardening.

Missing User Warnings

Medium
Confidence
92% confidence
Finding
The README explicitly guides users from advisory mode into semi-automated and fully automated live trade execution, but it does not include a prominent warning about real-money loss, irreversible order placement, broker-side execution risk, or the consequences of autonomous trading. In the context of a trading skill that can place live orders, this omission materially increases the chance of unsafe deployment and financial harm.

Missing User Warnings

Medium
Confidence
89% confidence
Finding
The README instructs users to populate a .env file with broker, messaging, and AI API credentials and to connect multiple third-party services, but it does not warn about secret handling, least-privilege use, storage risks, or data sharing with external providers. Because this skill interfaces with trading, messaging, and AI services, mishandling these tokens could expose account control, sensitive trading data, or notification channels.

Missing User Warnings

Medium
Confidence
91% confidence
Finding
The README promotes fully automated live trade execution, alerting, and dashboard broadcasting without a clear warning about financial risk, privacy exposure, credential handling, and the system impact of autonomous operation. In this context, insufficient disclosure is security-relevant because users may enable live trading or external broadcasting without understanding that the skill can move funds, expose trading telemetry, and interact with external APIs continuously.

Missing User Warnings

Medium
Confidence
95% confidence
Finding
The code automatically publishes an execution entry event whenever auto mode is enabled, with no additional confirmation, interlock, or user-visible acknowledgement at the point of trade placement. In a fully automated trading skill handling live broker actions, this creates a direct path from analysis output to order execution, so bad inputs, model errors, event spoofing, or misconfiguration can rapidly cause unauthorized or harmful trades.

VirusTotal

66/66 vendors flagged this skill as clean.

View on VirusTotal