ClawHub

prana-cyf-20260328-test01

Security checks across malware telemetry and agentic risk

Overview

This skill is presented as a TradingView analysis helper but runs as a remote Prana client that fetches and stores credentials and sends user prompts to an external service.

Install only if you intentionally want a remote Prana execution client and trust claw-uat.ebonex.io with prompts, trading context, and any account/contact identifiers present in your environment. Avoid the global OpenClaw config and gateway restart steps unless you understand their effect, and disable automatic key fetching or disk persistence if you do not want credentials saved locally.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
  • MCP Least PrivilegeUnderdeclared Capability, Wildcard Permission, Missing Permission Declaration
  • MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
Findings (18)

Lp3

Medium
Category
MCP Least Privilege
Confidence
94% confidence
Finding
The skill declares itself as a local technical-analysis tool, yet its instructions require environment access, network calls, and configuration changes without declaring those capabilities. This hidden capability expansion is dangerous because it can lead operators or agent runtimes to grant broader privileges than users would reasonably expect, including secret handling and system-level changes.

Tp4

High
Category
MCP Tool Poisoning
Confidence
98% confidence
Finding
The declared purpose is local indicator computation, but the documented behavior includes retrieving API keys, persisting credentials, contacting external services, forwarding user prompts, and polling for remote results. This mismatch materially increases risk because users may unknowingly disclose data or allow remote execution pathways unrelated to the advertised function.

Description-Behavior Mismatch

High
Confidence
99% confidence
Finding
A skill advertised as a local technical-analysis tool instructs users to fetch API keys from a remote endpoint and then use external client scripts to execute the workflow. In this context, the mismatch makes the behavior more dangerous because financial-analysis users would not expect credential retrieval and remote task execution as a prerequisite for indicator calculations.

Context-Inappropriate Capability

High
Confidence
99% confidence
Finding
The documentation directs the operator to obtain secret/public keys, write them into platform-wide environment configuration, and restart the gateway. This is highly dangerous because it elevates the skill from data analysis to platform credential provisioning and service-state modification, creating opportunities for secret exposure, misuse of privileged keys, and broader system compromise if the remote service or documentation is untrusted.

Context-Inappropriate Capability

Medium
Confidence
80% confidence
Finding
The skill is positioned as a Python analysis toolkit, but the instructions default to Node.js and require additional package installation and runtime selection. This is not as severe as secret handling, but it still expands the attack surface and increases the chance of users running unexpected code paths or dependency chains unrelated to the stated purpose.

Description-Behavior Mismatch

High
Confidence
94% confidence
Finding
The client is positioned as a local TradingView technical analysis tool, but this code path builds and submits skill invocation content to a remote Prana/agent backend. That mismatch is security-relevant because users may disclose market data, prompts, or workflow context under the assumption of local processing, creating undisclosed data exfiltration and trust-boundary expansion.

Description-Behavior Mismatch

High
Confidence
98% confidence
Finding
This section sends the full user message, skill parameters, thread ID, and request ID to an external service endpoint (/api/claw/agent-run and follow-up polling). In the context of a supposed technical indicator helper, this creates undisclosed outbound data transfer and allows a remote service to process arbitrary user inputs, which is more dangerous because the skill description does not prepare users for cloud handling.

Context-Inappropriate Capability

Medium
Confidence
91% confidence
Finding
The code automatically reads ACCOUNT_ID, email, and phone-related environment variables to fetch API keys from a remote service. For a technical analysis assistant, silently harvesting identity-related environment data is unnecessary for core indicator computation and expands the privacy and credential-recovery attack surface.

Context-Inappropriate Capability

Medium
Confidence
89% confidence
Finding
The code includes functionality to persist fetched API credentials locally in JSON form under the skill directory. In a skill advertised for technical analysis, storing long-lived remote access credentials on disk without strong safeguards increases the chance of accidental disclosure through local compromise, backups, or repository commits.

Description-Behavior Mismatch

High
Confidence
98% confidence
Finding
The skill is presented as a local TradingView technical analysis toolkit, but the file explicitly acts as a thin client that forwards user input to a remote Prana service for execution. This is a material capability mismatch that can expose user data to an undisclosed external service and defeats user expectations about local-only processing.

Description-Behavior Mismatch

High
Confidence
97% confidence
Finding
The client can automatically request API keys from a remote service and then persist them locally, which is far beyond the stated purpose of a technical indicator tool. Auto-provisioning credentials and storing them without an explicit trust boundary or consent expands the blast radius if the machine or repository is later compromised.

Context-Inappropriate Capability

High
Confidence
95% confidence
Finding
The code can create or fetch remote account API credentials using identity-related parameters from the environment, which is unrelated to ordinary indicator computation. In the context of a supposed analysis utility, this hidden account/bootstrap capability is suspicious and can onboard users to a remote platform without meaningful awareness.

Context-Inappropriate Capability

High
Confidence
96% confidence
Finding
The invoke path sends arbitrary user-provided content to a generic remote agent-run endpoint using a skill key loaded from metadata, giving the package a general remote agent execution capability rather than a narrowly scoped technical-analysis function. In this skill context, that mismatch makes the behavior more dangerous because users may submit proprietary trading strategies or market data believing computation is local and bounded.

Missing User Warnings

Medium
Confidence
95% confidence
Finding
The instructions expose retrieval and setup of secret keys without any warning about credential sensitivity, handling requirements, or trust boundaries. In practice, this can normalize unsafe secret distribution and cause users or agents to fetch, print, persist, or transmit privileged credentials without adequate safeguards.

Missing User Warnings

Low
Confidence
88% confidence
Finding
The documentation instructs a gateway restart with no warning about service disruption, privilege requirements, or operational impact. In shared or production environments, this can cause unnecessary downtime or interrupt unrelated workloads under the guise of using a simple analysis skill.

Missing User Warnings

Medium
Confidence
97% confidence
Finding
After automatically obtaining API credentials, the client writes them to config/api_key.txt by default, with no prior consent and only optional environment flags to disable this. Silent secret persistence is dangerous because it creates durable credentials on disk that other local users, malware, backups, or version control may expose.

Missing User Warnings

Medium
Confidence
94% confidence
Finding
Sensitive API credentials fetched from the service are written to config/api_key.txt and optionally config/api_key.json without an interactive warning or confirmation. Plaintext persistence increases exposure through local compromise, accidental inclusion in backups, or committing secrets into source control.

Missing User Warnings

Low
Confidence
88% confidence
Finding
The code transmits the assembled user message content to a remote service without any user-facing disclosure at execution time. For a skill marketed as a local technical-analysis tool, this can lead to unintended disclosure of sensitive prompts, proprietary market views, or account-related context.

VirusTotal

No VirusTotal findings

View on VirusTotal