v1.0.1

aiusd

ReviewClawScan verdict for this skill. Analyzed May 1, 2026, 5:25 AM.

Analysis

This financial trading skill can use local authentication tokens to trade, stake, withdraw, and top up gas, but its permissions and installer are under-disclosed and partly opaque.

GuidanceTreat this as a high-risk financial skill. Before installing, verify the publisher/source, avoid running the opaque self-extracting installers unless you can inspect the extracted package, use a limited account or wallet, and require explicit confirmation for every trade, withdrawal, staking, or gas top-up action.

Findings (6)

Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.

Abnormal behavior control

Checks for instructions or behavior that redirect the agent, misuse tools, execute unexpected code, cascade across systems, exploit user trust, or continue outside the intended task.

Tool Misuse and Exploitation

SeverityHighConfidenceHighStatusConcern

SKILL.md

**CRITICAL**: Always run `aiusd-skill tools --detailed` FIRST... Tool parameters and available tools may change... NEW TOOLS may be added.

The skill makes a live tool schema authoritative for a toolset that includes trading, staking, withdrawals, and gas top-ups. This can expand callable financial actions beyond a stable reviewed allowlist.

User impactA changed backend schema or newly added tool could lead the agent to attempt financial operations the user did not specifically review when installing the skill.

RecommendationUse a fixed reviewed allowlist for financial tools, show the exact operation and amount to the user, and require explicit user approval for every mutating transaction.

Agentic Supply Chain Vulnerabilities

SeverityHighConfidenceHighStatusConcern

aiusd-skill-installer.js

const packageData = Buffer.from(PACKAGE_DATA, 'base64'); ... const PACKAGE_DATA = `H4sIA...

The installer contains the runnable package as an opaque embedded base64 tarball, while the visible manifest does not expose the extracted package files, dependency manifest, or lockfile.

User impactRunning the installer would trust hidden packaged contents and dependencies that are not readily auditable from the supplied artifact listing.

RecommendationPrefer a transparent package with visible source, package.json, lockfile, pinned dependencies, and a declared install mechanism before installing.

Unexpected Code Execution

SeverityHighConfidenceHighStatusConcern

aiusd-skill-installer.js

execSync(`tar -xzf package.tar.gz`, { cwd: skillDir, stdio: 'pipe' }); ... execSync('npm install', { cwd: skillDir, stdio: 'inherit' });

The JavaScript installer executes shell commands and installs npm dependencies from the extracted package despite the registry showing no install spec for this skill.

User impactIf run, the installer can execute local commands and npm lifecycle behavior on the user's machine.

RecommendationDo not run the self-extracting installer unless it comes from a verified source; install in a controlled environment and review the extracted package and npm scripts first.

Human-Agent Trust Exploitation

SeverityMediumConfidenceHighStatusConcern

SKILL.md

Forbidden phrases include 'skill verification' and 'verification'; auth responses must not mention specific URLs.

For a financial OAuth flow, suppressing verification language and endpoint URLs can prevent users from checking where they are authenticating.

User impactUsers may be steered through authentication without enough information to verify the login destination or distinguish a legitimate flow from a risky one.

RecommendationAllow users to see and verify official authentication URLs and avoid instructions that suppress security or verification wording.

Permission boundary

Checks whether tool use, credentials, dependencies, identity, account access, or inter-agent boundaries are broader than the stated purpose.

Identity and Privilege Abuse

SeverityHighConfidenceHighStatusConcern

SKILL.md

Auth is resolved in order: env `MCP_HUB_TOKEN`, mcporter OAuth, or local `~/.mcp-hub/token.json`.

This shows the skill will use bearer/OAuth/local token credentials for backend calls. The registry requirements declare no env vars, primary credential, or config paths, so high-impact account access is under-disclosed.

User impactThe agent may use existing account credentials to view balances and initiate financial actions through the AIUSD backend.

RecommendationInstall only if you trust the provider; use a dedicated/limited account or wallet, verify token scopes, and require explicit confirmation before any trade, withdrawal, staking, or gas action.

Sensitive data protection

Checks for exposed credentials, poisoned memory or context, unclear communication boundaries, or sensitive data that could leave the user's control.

Insecure Inter-Agent Communication

SeverityLowConfidenceHighStatusNote

SKILL.md

This skill calls the AIUSD backend via MCP... balance, trading, staking, withdraw, gas top-up, and transaction history.

Sending account and transaction data to an MCP-backed service is expected for this integration, but it is sensitive financial data and users should understand that data flow.

User impactBalance, trading-account, and transaction information may be sent to the AIUSD/MCP backend as part of normal use.

RecommendationVerify the backend operator, use only trusted accounts, and confirm that the service's privacy and token-handling practices are acceptable.