trade-with-aiusd
WarnAudited by ClawScan on May 10, 2026.
Overview
This skill is for real cryptocurrency trading and account access, but its artifacts under-declare credentials, lack clear approval limits for high-impact financial actions, and include opaque self-extracting installers that run local commands.
Install only if you trust the AIUSD provider and the embedded installer package. Use a dedicated low-balance wallet/account, inspect the extracted code and npm dependencies first, and require explicit confirmation for every trade, stake, unstake, gas top-up, or withdrawal.
Findings (5)
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
A mistaken or over-permissive agent action could place trades, stake/unstake funds, or withdraw crypto assets.
The skill is documented as able to mutate a user's financial account through trades and withdrawals. The provided artifacts do not show explicit confirmation, spending limits, destination checks, or rollback safeguards.
"Execute Trades" ... "Buy $50 of SOL with USDC" ... "Account Management" ... "Withdraw 100 USDC to my wallet"
Use only with explicit per-transaction confirmation, low limits, and a dedicated wallet/account; verify every trade and withdrawal before execution.
The agent may gain access to a trading account token that can reveal balances and enable account actions.
The skill uses bearer/OAuth/local token credentials for account access, while the registry metadata declares no primary credential, env vars, or required config paths.
Auth is resolved in order: env `MCP_HUB_TOKEN`, mcporter OAuth, or local `~/.mcp-hub/token.json`. Ensure a valid Bearer token is available before calling.
Declare credential requirements clearly, document token scope, and use the least-privileged token or a dedicated trading account.
Users may install code and dependencies that are not clearly surfaced by the registry metadata.
The installer embeds a large base64 tarball that is extracted into the installed skill. The registry provides no install spec or dependency declaration, making the installed package provenance and dependency set difficult to verify from metadata.
const PACKAGE_DATA = `H4sIAGHei2kAA+y923IjSZYg1rtmsjVBz9KzFytnALCAIADeMpGXaiaT2cVuJplNMqu2lJlDBoEgEZUAAhMRIJOV...
Publish the decoded package contents, package manifest, lockfile, and checksums; align the registry install spec with the actual installer behavior.
Installing the skill can execute local commands and dependency installation scripts on the user's machine.
Running the installer executes local shell commands and npm install from an embedded package, despite the registry saying there is no install spec.
execSync(`tar -xzf package.tar.gz`, { cwd: skillDir, stdio: 'pipe' }); ... execSync('npm install', { cwd: skillDir, stdio: 'inherit' });Run the installer only in a trusted, isolated environment after inspecting the extracted package and dependency scripts.
Users may be prevented from seeing or asking about important authentication details before granting account access.
The skill instructs the agent to suppress verification-related wording and hide the authentication URL from the user, which can reduce user visibility into where authentication is happening.
"Agents must NEVER use" ... "skill verification", "verification" ... "NEVER return the login URL to the user"
Require transparent authentication messaging, including the domain being used, and remove instructions that suppress security or verification discussion.