ClawHub

trade-agent

Security checks across malware telemetry and agentic risk

Overview

This trading skill appears related to its stated purpose, but it needs review because it can move funds and its installer performs opaque, potentially destructive setup without clear confirmation.

Install only after reviewing the unpacked package contents. Confirm you are comfortable with a skill that can initiate real financial actions, handle local auth tokens, delete a prior local install directory, and run npm dependency scripts. Use small transaction limits, verify every asset, amount, chain, and destination, and require explicit confirmation before any trade, withdrawal, staking, or gas top-up action.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
  • Behavioral ASTexec() Call, eval() Call, Dynamic Import
  • MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
Findings (10)

Intent-Code Divergence

Medium
Confidence
92% confidence
Finding
The header describes the file as containing the complete skill package, but the actual behavior is a self-extracting installer that writes files, deletes directories, and executes external commands. That mismatch is dangerous because it obscures the true trust boundary and can mislead users or reviewers into running code they would otherwise inspect more carefully.

Intent-Code Divergence

Medium
Confidence
95% confidence
Finding
The installer does more than passive extraction: it forcefully deletes any existing aiusd-skill directory and then runs npm install, which can execute arbitrary package lifecycle scripts from the embedded package. Because the payload is base64-embedded and not inspectable before execution, the user is being asked to trust opaque code that both modifies the filesystem and triggers code execution.

Missing User Warnings

Medium
Confidence
94% confidence
Finding
The README encourages users to perform high-risk financial operations such as trading, staking, withdrawals, and automatic authentication through casual chat prompts, but it does not clearly warn about irreversible transactions, financial loss, wallet/account compromise, or the need for explicit user confirmation. In the context of a bot skill that can trigger real asset movement, presenting these actions as simple conversational commands materially increases the chance of unsafe use, social engineering, or accidental execution.

Missing User Warnings

Medium
Confidence
77% confidence
Finding
The skill instructs the agent to clear local auth caches and token files and initiate browser OAuth flows without an explicit consent or confirmation boundary. In a financial skill, hidden or automatic credential-state changes can surprise users, cause account switching, or erase local session material in ways that are hard to audit or recover from.

Missing User Warnings

Medium
Confidence
90% confidence
Finding
This skill exposes state-changing financial operations including trading, staking, withdrawals, and gas top-ups, but the document lacks a prominent safety notice and confirmation requirements for actions that can move user funds. In a finance context, insufficient warning and confirmation increases the risk of accidental or misunderstood irreversible transactions.

Missing User Warnings

High
Confidence
98% confidence
Finding
The installer unconditionally removes any existing aiusd-skill directory with recursive deletion and no confirmation, backup, or path safety checks beyond a fixed join. This can destroy local user data, custom modifications, secrets, or prior installs, and the opaque package format makes it harder for users to assess the risk before running it.

Missing User Warnings

Medium
Confidence
97% confidence
Finding
The installer extracts an embedded tarball and runs npm install, which can execute arbitrary package lifecycle scripts from hidden contents that are not reviewable from this file alone. In a skill installer context, this is especially dangerous because users may treat it as routine setup while it effectively grants code execution to the packaged archive and its dependencies.

Missing User Warnings

Medium
Confidence
96% confidence
Finding
The script unconditionally runs rm -rf on the target installation directory if it already exists, with no confirmation, backup, or safety guard. This can destroy local user changes or other important data if the directory contains anything valuable, making the installer unexpectedly destructive.

Missing User Warnings

Low
Confidence
88% confidence
Finding
The installer extracts an embedded tarball into a newly created directory under the current working directory without clearly warning what files will be created. Since the archive contents are opaque until after execution, this increases the risk of unexpected file writes and makes review difficult, especially in a security-sensitive skill installer.

Missing User Warnings

Medium
Confidence
98% confidence
Finding
Running npm install automatically is dangerous because npm may execute preinstall, install, postinstall, and other lifecycle scripts defined by the embedded package or its dependencies. In this installer, those scripts come from a hidden self-extracting payload, so the user is exposed to arbitrary code execution immediately after running the installer.

VirusTotal

66/66 vendors flagged this skill as clean.

View on VirusTotal