ClawHub
Back to skill

Security audit

Ptrade

Security checks across malware telemetry and agentic risk

Overview

This appears to be a legitimate Ptrade trading reference skill, but it includes copyable live-trading examples that could affect real brokerage accounts without enough safety framing.

Review before installing. Use this only for intended Ptrade strategy work, test generated strategies in backtest or paper mode first, and require explicit human approval before any live order, margin trade, futures trade, ETF operation, IPO subscription, or cancellation is submitted.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
  • Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
Findings (3)

Missing User Warnings

Medium
Confidence
94% confidence
Finding
The quick reference includes direct live-trading order examples such as `order`, `order_target`, and `order_value` without any warning that these APIs may execute real-money trades on a broker-connected account. In the context of a quantitative trading skill explicitly designed for broker-hosted low-latency execution, users may copy and run examples verbatim, creating a meaningful risk of unintended financial loss.

Missing User Warnings

Medium
Confidence
93% confidence
Finding
The README includes executable-looking examples that place live buy orders and query positions in a broker-hosted trading environment, but provides no warning that these examples may execute against real accounts or cause financial loss. In the context of a low-latency broker server platform for A-shares, futures, and margin trading, omission of safety guidance materially increases the chance that users deploy sample code directly and unintentionally submit live orders.

Missing User Warnings

Medium
Confidence
95% confidence
Finding
This skill exposes numerous live trading functions capable of placing real-money orders, margin trades, futures trades, ETF creation/redemption, and cancellations, yet the introductory description lacks a prominent safety warning about financial risk and live execution. In an agent setting, insufficient warning materially increases the chance of unintended or unauthorized order placement from ambiguous user prompts or automation mistakes.

VirusTotal

59/59 vendors flagged this skill as clean.

View on VirusTotal