ClawHub

Vibetrading

Security checks across malware telemetry and agentic risk

Overview

This documentation-only crypto trading skill is purpose-aligned, but its live-trading examples can use private keys to place real trades without enough safety guidance.

Install only if you intend to work with live crypto trading automation. Verify the external vibetrading package first, start with backtests or testnet/paper trading, use isolated low-balance accounts and least-privilege keys, keep private keys out of chat and repositories, set explicit position/loss limits and a stop procedure, and manually review any AI-generated strategy before deployment.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
  • Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
Findings (3)

Missing User Warnings

Medium
Confidence
92% confidence
Finding
The skill provides concrete instructions for live deployment and market-order execution using real exchange credentials, but it does not prominently warn that these actions can immediately place real trades with real funds. In an agent context, this increases the chance that a model or user could transition from experimentation to live execution without adequate human confirmation, risk disclosure, or safeguards.

Missing User Warnings

Medium
Confidence
88% confidence
Finding
The skill documents handling exchange API keys and private keys in environment files without clear secret-management warnings or operational guidance. In a live trading context, exposed credentials could enable unauthorized trading, account takeover, or theft, especially because some listed secrets are blockchain private keys rather than low-privilege API tokens.

Missing User Warnings

Medium
Confidence
91% confidence
Finding
The live trading section shows how to start a real exchange runner and load wallet/private key material, but it does not prominently warn that this can place real orders with real funds or that the secrets are highly sensitive. In a trading skill, users may copy-paste examples directly, so omission of safety guidance materially increases the chance of accidental live trading or poor credential handling.

VirusTotal

65/65 vendors flagged this skill as clean.

View on VirusTotal