ClawHub

trade-with-aiusd

Security checks across malware telemetry and agentic risk

Overview

This AIUSD trading skill matches its stated purpose, but it needs Review because it can move funds and its setup/auth flows run code and change local credential state without enough user safeguards.

Install only if you trust the AIUSD publisher and are comfortable giving an assistant authenticated access to financial actions. Before running the installers, inspect the extracted package, back up any existing aiusd-skill directory, and require manual confirmation of amount, asset, chain, destination, fees/slippage, and final action before any trade, withdrawal, staking, unstaking, or gas top-up.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
  • MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
Findings (10)

Intent-Code Divergence

Medium
Confidence
84% confidence
Finding
The skill gives conflicting instructions for re-authentication: one section forbids URLs and step-by-step guidance, while another later section includes explicit command execution and multi-step cache-clearing/login procedures. This inconsistency can cause agents to ignore safer user-facing constraints and perform hidden local auth-state changes without clear disclosure.

Context-Inappropriate Capability

Medium
Confidence
94% confidence
Finding
The skill instructs the agent to enumerate live tools and consider newly added tools beyond those documented in the file. That expands the effective authority of the skill at runtime and can enable invocation of unexpected capabilities without prior review, violating least privilege and making prompt-level scope restrictions easy to bypass.

Context-Inappropriate Capability

High
Confidence
98% confidence
Finding
The installer invokes external commands (`tar -xzf` and `npm install`) on opaque embedded content without any verification, manifest validation, or consent checkpoint. This creates an arbitrary code execution path because `npm install` will execute package lifecycle scripts from the extracted package, and extraction may write attacker-controlled files if the archive is malicious.

Missing User Warnings

Medium
Confidence
90% confidence
Finding
The README encourages users to execute trades, withdrawals, swaps, and staking through natural-language prompts without prominently warning about financial risk, transaction irreversibility, slippage, wallet compromise risk, or the possibility of accidental execution. In a bot/agent context, this is particularly dangerous because users may treat chat instructions as low-friction and reversible, increasing the chance of unintended asset movement or loss.

Missing User Warnings

Medium
Confidence
96% confidence
Finding
The documented re-auth steps explicitly clear local auth caches and token files before starting login, but the skill does not require clear user warning or consent before these destructive actions. Removing local credential state can log users out, switch accounts, or erase troubleshooting context, creating integrity and availability risk on the host environment.

Missing User Warnings

Medium
Confidence
97% confidence
Finding
The error-handling flow tells the agent to automatically run re-auth commands on common auth failures, again without telling the user that local auth state may be cleared or replaced. Automatic remediation that mutates credential state is risky because users may not intend account switching or token deletion, and the action happens in response to routine errors.

Missing User Warnings

High
Confidence
97% confidence
Finding
The installer forcibly removes any existing `aiusd-skill` directory recursively and without confirmation or backup. This can destroy user data or prior installations, and because the target is derived from the current working directory, running the installer in the wrong location can cause unexpected destructive effects.

Missing User Warnings

High
Confidence
99% confidence
Finding
The installer writes an embedded base64 archive to disk, extracts it, and then immediately runs commands in that extracted directory with no prior disclosure of contents, integrity verification, or sandboxing. In this context, the hidden archive makes the package materially more dangerous because reviewers cannot assess what will be written or what `npm install` hooks may execute before running it.

Missing User Warnings

Medium
Confidence
95% confidence
Finding
The installer unconditionally executes rm -rf "$SKILL_DIR" when ./aiusd-skill already exists, causing irreversible deletion without confirmation or backup. In the context of a self-extracting installer from an untrusted skill package, this is dangerous because it can destroy user data placed in that directory and normalizes unsafe destructive behavior.

Missing User Warnings

Medium
Confidence
99% confidence
Finding
Running npm install automatically executes package lifecycle scripts such as preinstall, install, and postinstall from the extracted package and its dependencies, which is arbitrary code execution. Because this installer contains an embedded opaque archive and immediately installs dependencies without user review, the skill context makes this substantially more dangerous than a normal transparent installer.

VirusTotal

65/65 vendors flagged this skill as clean.

View on VirusTotal