ClawHub

trade-with-aiusd

Security checks across malware telemetry and agentic risk

Overview

This appears to be a real AIUSD trading skill, but it needs review because it can move funds and its installers and auth reset flow make broad local changes without enough user control.

Install only if you trust the AIUSD publisher and backend. Use a limited-balance account, protect local tokens and chat access, independently verify login domains, require the agent to confirm every trade, withdrawal, stake, unstake, and gas top-up, and avoid running the self-extracting installers in a directory containing important local changes or secrets.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
  • MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
Findings (11)

Context-Inappropriate Capability

Medium
Confidence
92% confidence
Finding
The skill explicitly instructs the agent to discover and consider newly added tools outside the documented set, which weakens the skill's stated scope boundaries. In an adversarial or misconfigured MCP environment, that dynamic discovery path could expose higher-risk capabilities and lead the agent to invoke tools that were never security-reviewed for this skill.

Context-Inappropriate Capability

Medium
Confidence
95% confidence
Finding
Mandating `aiusd-skill tools --detailed` before every task creates a live capability-discovery channel that reveals all currently exposed tools, schemas, and examples regardless of user need. That increases attack surface, enables scope creep, and may leak operational details that help an agent misuse tools or follow newly introduced behaviors without human review.

Intent-Code Divergence

Medium
Confidence
89% confidence
Finding
The header presents the file as a complete skill package, but the actual behavior is a self-extracting installer that writes files, deletes an existing directory, extracts an embedded archive, and executes external commands. This mismatch increases the chance a user runs it without understanding the side effects, which is dangerous when combined with automatic filesystem changes and code execution.

Intent-Code Divergence

Medium
Confidence
95% confidence
Finding
The installer claims to contain the complete skill package, but it also runs `npm install`, which reaches out for external dependencies and may execute lifecycle scripts from package metadata. That discrepancy can mislead users into trusting a supposedly self-contained installer while it actually performs networked code execution beyond the embedded archive.

Missing User Warnings

Medium
Confidence
87% confidence
Finding
The README promotes drag-and-drop installation and natural-language trading, withdrawals, and account actions without prominent warnings about irreversible financial transactions, confirmation requirements, or the risks of ambiguous chat commands. In a financial skill, this materially increases the chance of accidental or socially engineered fund movements, especially across messaging platforms where users may act quickly or misunderstand what the bot will do.

Natural-Language Policy Violations

Low
Confidence
79% confidence
Finding
The skill is advertised as handling sensitive financial operations through broad natural-language conversations on Telegram, Discord, WhatsApp, Slack, SMS, and CLI, but the README does not describe guardrails such as supported locales, ambiguity handling, explicit consent, or safe fallback behavior. This makes misinterpretation and unauthorized or unintended actions more plausible, which is especially dangerous in a context involving crypto trading and withdrawals.

Missing User Warnings

Medium
Confidence
96% confidence
Finding
The skill instructs the agent to clear credential caches and local token files as part of automatic re-authentication, but does not require explicit user consent or warn that local authentication state will be deleted. This can cause destructive changes to user environment state, account switching surprises, and unintended loss of active credentials on a shared or sensitive workstation.

Missing User Warnings

High
Confidence
98% confidence
Finding
The installer unconditionally removes the existing aiusd-skill directory with fs.rmSync(..., { recursive: true }) and no confirmation, backup, or path safety guard. If run from an unexpected working directory or over an existing customized installation, this can destroy data and local changes immediately.

Missing User Warnings

Medium
Confidence
97% confidence
Finding
The script automatically executes tar extraction and npm install, which can run attacker-controlled code from the embedded package and package lifecycle scripts. Because the archive contents are opaque in this file and there is no integrity verification or up-front warning, running the installer effectively grants code execution on the host.

Missing User Warnings

Medium
Confidence
98% confidence
Finding
The script unconditionally deletes an existing `aiusd-skill` directory with `rm -rf` and gives no confirmation, backup, or safety checks beyond the fixed path suffix. This can destroy prior installations, local modifications, credentials, or other data if the directory contains anything important, making the installer unsafe to run repeatedly.

Missing User Warnings

Medium
Confidence
99% confidence
Finding
Running `npm install` on extracted content can execute arbitrary `preinstall`, `install`, `postinstall`, and transitive dependency scripts with the user's privileges. Because the archive payload is embedded and not independently inspected or verified here, this installer effectively chains archive extraction into code execution without clearly warning the user.

VirusTotal

65/65 vendors flagged this skill as clean.

View on VirusTotal