ClawHub

bybit-order-book

Security checks across malware telemetry and agentic risk

Overview

The skill does what it says, but it explicitly automates bypassing ByBit’s Cloudflare protection and recommends unsafe system-wide Python installs.

Install only in a virtual environment or container, not with --break-system-packages. Before using the downloader, confirm that automated access to ByBit’s history-data page is allowed for your use case, respect rate limits and terms, and prefer manual or officially supported data access if available.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
  • Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
Findings (3)

Context-Inappropriate Capability

Medium
Confidence
95% confidence
Finding
The script explicitly states it uses undetected-chromedriver to bypass Cloudflare protection, which is a deliberate anti-bot evasion technique rather than ordinary browser automation. This increases legal, compliance, and platform-abuse risk, and normalizes tooling that can be repurposed to circumvent access controls on third-party services; in this skill context, that makes the downloader more dangerous because the stated purpose is bulk historical data retrieval from an external site.

Missing User Warnings

Medium
Confidence
94% confidence
Finding
The dependency installation command includes pip's --break-system-packages flag without any warning, which encourages modification of system-managed Python environments. This can destabilize the host, override distro-managed packages, and create downstream security and maintenance issues, especially if an agent executes instructions automatically on a user's machine.

Missing User Warnings

Medium
Confidence
95% confidence
Finding
The document explicitly instructs users to use 'undetected-chromedriver or similar' to get past Cloudflare protection, which normalizes anti-bot bypass behavior without any warning about legal, contractual, or access-control implications. In a skill that automates bulk historical data collection, this guidance increases the likelihood that users will deploy evasion tooling against a protected service in ways that may violate terms of service or trigger defensive responses.

VirusTotal

66/66 vendors flagged this skill as clean.

View on VirusTotal