ClawHub

Crypto Trading Bot

Security checks across malware telemetry and agentic risk

Overview

This skill is instruction-only and coherent, but it promotes automated crypto trading without enough guardrails for live execution, financial loss, or API-key safety.

Install only if you intentionally want crypto trading bot development guidance. Do not share seed phrases or full-access exchange keys; use paper trading or testnets first, disable withdrawals on API keys, set strict order and loss limits, and require manual approval before any live trading.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
  • Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
Findings (2)

Vague Triggers

Medium
Confidence
88% confidence
Finding
The trigger phrase "整交易Bot" is broad and generic enough that the skill could be invoked in contexts where the user is only discussing trading automation rather than explicitly requesting this specific skill. In a high-risk domain like automated crypto trading, unintended invocation can steer users into code generation or operational guidance for bots without clear confirmation, increasing the chance of unsafe or unauthorized automation workflows.

Missing User Warnings

High
Confidence
96% confidence
Finding
The skill advertises automated trading, exchange API integration, arbitrage, and flash-loan-related workflows without any warning about financial loss, API key exposure, account restrictions, liquidation risk, or compliance issues. In this context, omission of safety warnings is dangerous because users may be guided into deploying live trading systems or sharing sensitive exchange credentials without understanding the operational and security risks.

VirusTotal

63/63 vendors flagged this skill as clean.

View on VirusTotal