ClawHub

Crypto Arbitrage

Security checks across malware telemetry and agentic risk

Overview

This looks like a simulated crypto-trading demo, but it is advertised as a live automated trading tool and asks users to handle exchange credentials.

Review carefully before installing. Treat this as simulation-only unless real exchange integrations are independently verified. Do not provide live exchange keys; if testing, use sandbox or read-only keys, disable withdrawals, restrict API permissions, and avoid enabling auto-execution without explicit limits and confirmation controls.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
  • MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
Findings (7)

Intent-Code Divergence

Medium
Confidence
95% confidence
Finding
The header comments describe a real-time multi-exchange scanner and executor, but the implementation uses simulated prices and simulated trade execution. In a financial trading context, this mismatch is dangerous because users may supply exchange credentials or make risk decisions based on false assumptions about what the skill actually does.

Description-Behavior Mismatch

High
Confidence
97% confidence
Finding
The skill markets itself as real-time arbitrage scanning and automatic execution, but the code only initializes simulated prices and never connects to exchanges. Because the skill also accepts credentials and exposes auto-execution controls, this deceptive behavior is more dangerous than ordinary inaccurate docs: it can induce users to trust fake opportunities and mishandle secrets.

Intent-Code Divergence

Medium
Confidence
94% confidence
Finding
The method is documented as executing arbitrage trades, but the non-dry-run path still only creates simulated trade records locally. In a trading skill, this can mislead operators into believing capital was deployed or hedged when no real market action occurred, causing financial and operational risk.

Missing User Warnings

Medium
Confidence
96% confidence
Finding
This section promotes auto-execution and live trade execution without making sandbox mode, dry-run mode, or manual confirmation the default. In a financial trading skill, that materially increases the risk of unintended real-money orders, losses from misconfiguration, and rapid automated damage if opportunity detection is wrong or manipulated.

Missing User Warnings

Medium
Confidence
95% confidence
Finding
The credential setup examples directly instruct users to provide exchange API keys and secrets, but do not warn about secure storage, redaction, least-privilege scopes, or avoiding hardcoding. Because these credentials can control real trading accounts, poor handling could lead to credential theft, account compromise, and unauthorized trading activity.

Missing User Warnings

High
Confidence
93% confidence
Finding
The code triggers auto-execution purely from internal thresholds without requiring a per-trade confirmation or an explicit user-facing warning at execution time. In a financial automation context, autonomous trade placement materially increases the chance of unintended transactions, runaway activity, or misuse when configuration is wrong or the environment changes.

Missing User Warnings

Medium
Confidence
83% confidence
Finding
The skill accepts and stores exchange credentials without any visible disclosure, validation, masking, or lifecycle protections. Even though this file does not exfiltrate them, collecting sensitive API keys in a loosely managed in-memory map increases the risk of accidental exposure, misuse, or unsafe deployment patterns.

VirusTotal

66/66 vendors flagged this skill as clean.

View on VirusTotal