ClawHub

trade-with-aiusd

Security checks across malware telemetry and agentic risk

Overview

This appears to be a real AIUSD trading skill, but it needs review because it can move funds and its installers and reset flows make broad local changes.

Install only from a trusted AIUSD source and inspect the extracted package before running either installer. Do not run it on a shared bot host or a machine with unrelated wallet, exchange, or API credentials. Before trading, staking, gas top-ups, or withdrawals, require explicit human confirmation of token, amount, destination address, network, fees, and expected result. Treat reauth and reset commands as destructive because they can remove shared local authentication state.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
  • MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
Findings (8)

Description-Behavior Mismatch

Medium
Confidence
91% confidence
Finding
The script is a self-extracting installer that unpacks an opaque embedded archive, deletes any prior installation, and then installs dependencies, which materially expands the trust boundary beyond the declared trading skill. Because the payload is hidden in base64 and immediately prepared for execution, reviewers cannot assess what code will actually run without extracting and auditing the archive, making this a meaningful supply-chain and hidden-functionality risk.

Context-Inappropriate Capability

Medium
Confidence
97% confidence
Finding
Running npm install on newly extracted, unaudited contents can execute lifecycle scripts such as preinstall, install, and postinstall with the user's privileges. In a cryptocurrency trading/account-management skill, this is especially dangerous because the environment may contain API keys, wallet material, or exchange credentials that malicious install scripts could exfiltrate.

Missing User Warnings

Medium
Confidence
93% confidence
Finding
The README promotes high-risk financial actions such as trading, staking, withdrawals, and gas-management through natural-language prompts, but it does not clearly warn users that these actions may be irreversible, market-sensitive, or capable of causing financial loss. In a chat-driven assistant context, this omission increases the chance of users treating the skill as low-risk automation and authorizing harmful transactions without informed consent.

Missing User Warnings

Medium
Confidence
91% confidence
Finding
The document includes destructive auth-reset commands (`rm -rf ~/.mcporter ~/.mcp-hub` and unsetting tokens) without a strong warning, confirmation step, or narrow-scope safer alternative. Users or agents could erase valid credentials and local auth state unexpectedly, causing account disruption and potential loss of session continuity across tools.

Missing User Warnings

Medium
Confidence
97% confidence
Finding
The installer unconditionally deletes an existing `aiusd-skill` directory with `fs.rmSync(..., { recursive: true })` before reinstalling, and it does so without confirmation, backup, or even a dry-run warning. This can destroy local user data, configs, or modified files if the target directory already exists, especially because the installer runs in the current working directory chosen by the user.

Missing User Warnings

Medium
Confidence
98% confidence
Finding
The installer extracts an opaque embedded tarball and then runs `npm install`, which can execute package lifecycle scripts from untrusted package contents. Because the payload is base64-encoded and not reviewed inline, the user cannot meaningfully inspect what will be extracted or what subprocesses will run, increasing the risk of arbitrary code execution during installation.

Missing User Warnings

Medium
Confidence
95% confidence
Finding
The installer unconditionally performs rm -rf on the target skill directory without confirmation, backup, or safety checks. This can destroy existing local data, configurations, customizations, logs, or credentials stored under that directory, and in an account-management context such data may be operationally sensitive.

Missing User Warnings

Medium
Confidence
96% confidence
Finding
Executing npm install without clearly warning the user that package lifecycle scripts may run causes implicit code execution from untrusted extracted content. Given the skill's cryptocurrency trading purpose, this raises the risk of credential theft, wallet compromise, or manipulation of trading behavior during installation.

VirusTotal

64/64 vendors flagged this skill as clean.

View on VirusTotal