ClawHub

Avantis Skill

Security checks across malware telemetry and agentic risk

Overview

This trading skill appears purpose-aligned but asks for direct wallet-signing authority in unsafe ways that could put real funds at risk.

Install only if you are prepared to let the skill access a dedicated, low-funded wallet and submit real Avantis/Base mainnet transactions. Do not use a primary wallet, rotate any exposed test keys, avoid plaintext private-key files, and require manual review of approvals, collateral, leverage, and close-position details before broadcasting.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
  • MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
Findings (16)

Tp4

High
Category
MCP Tool Poisoning
Confidence
93% confidence
Finding
The skill’s declared purpose is trading, but the documentation also reveals sensitive credential handling details and operational behaviors that materially increase risk, including use of a specific wallet and private-key file path. In a trading skill with direct wallet integration, hidden or under-declared credential access is dangerous because it enables unauthorized fund movement if the environment is compromised or if users follow the instructions without understanding the security implications.

Context-Inappropriate Capability

Medium
Confidence
97% confidence
Finding
The documentation exposes a concrete private-key file path (`/home/ubuntu/clawd/MAIN_WALLET.txt`), which advertises where a highly sensitive credential is stored on disk. Even without the key contents, disclosing the path lowers the barrier for theft by guiding attackers or unsafe automation toward the exact secret location.

Context-Inappropriate Capability

High
Confidence
99% confidence
Finding
The script embeds a raw wallet private key directly in source code and immediately uses it to configure a signer. In a trading skill that targets live mainnet leverage trading, this grants anyone with code access the ability to control the wallet, inspect positions, and potentially place, modify, or close trades or move funds if the key has broader authority.

Context-Inappropriate Capability

Medium
Confidence
97% confidence
Finding
The script reads a private key from a hard-coded local file path and immediately uses it to sign transactions. This creates a dangerous secret-handling pattern: any user who runs the skill may unknowingly expose or misuse a real wallet, and the capability is especially risky because the skill directly performs live leveraged trading actions on mainnet.

Context-Inappropriate Capability

Medium
Confidence
96% confidence
Finding
The script is described as only viewing positions, but it loads a private key from a local wallet file and configures a local signer anyway. Reading signing credentials for a read-only operation unnecessarily expands the blast radius: anyone who can run, modify, or repurpose this script can gain access to the wallet key and perform transactions, not just inspect positions.

Intent-Code Divergence

Medium
Confidence
91% confidence
Finding
The module docstring claims this is a simple 2x ETH trade with $5, but the code actually approves funds and opens a 5x leveraged trade with $10 collateral on mainnet. This mismatch can mislead operators into running riskier live trading behavior than advertised, especially in an agent skill that may be trusted as a small test script.

Context-Inappropriate Capability

Medium
Confidence
98% confidence
Finding
The script directly reads a private key from a hard-coded local wallet file path and uses it to sign live blockchain transactions. This creates unauthorized credential-access capability beyond simple trade parameter handling, and any user invoking the script implicitly grants it access to a sensitive wallet secret with no isolation, prompting, or scoped authorization.

Missing User Warnings

High
Confidence
98% confidence
Finding
The README explicitly instructs users to store a raw wallet private key in a plaintext local file, which is an unsafe secret-handling practice. In the context of a leverage-trading skill with direct wallet integration, compromise of that file would allow an attacker or malware to take full control of on-chain funds and open, modify, or close leveraged positions, potentially causing immediate financial loss.

Missing User Warnings

High
Confidence
98% confidence
Finding
The skill tells users about a private-key file location without any strong warning that this is a credential equivalent to full wallet control. In the context of a leveraged trading skill connected to a funded wallet, this omission is especially dangerous because compromise of the key can directly lead to irreversible loss of funds and malicious trading activity.

Missing User Warnings

High
Confidence
98% confidence
Finding
Using a hardcoded private key without clear disclosure is dangerous because users may run the script unaware that it contains live signing credentials and may expose or misuse them. Since this skill is for direct wallet-integrated leveraged trading on Base mainnet, the undisclosed embedded key materially increases the risk of unauthorized trading activity and financial loss.

Missing User Warnings

Medium
Confidence
95% confidence
Finding
The script submits a live position-closing transaction immediately after building it, with no confirmation prompt, dry-run mode, or explicit acknowledgement of the financial consequences. In the context of leveraged trading, closing the wrong position or amount can instantly realize losses and is effectively irreversible once broadcast on-chain.

Missing User Warnings

Medium
Confidence
98% confidence
Finding
The code reads a sensitive wallet private key directly from a fixed local file path with no warning, prompt, or disclosure to the user. In an agent skill context, this is especially dangerous because a seemingly harmless inspection command can silently access credentials tied to real funds, enabling wallet compromise if the file is exposed, logged, or reused by other code paths.

Missing User Warnings

High
Confidence
99% confidence
Finding
A hardcoded private key is embedded directly in the script and then used to initialize a local signer for live Base mainnet transactions. Anyone with access to the repository or script can extract the key, control the wallet, drain funds, or execute unauthorized approvals and trades; in a trading skill, this is especially dangerous because the code is designed to sign value-bearing transactions automatically.

Missing User Warnings

High
Confidence
98% confidence
Finding
The script sends real approval and trade-opening transactions to Base mainnet without any user confirmation, dry-run mode, or explicit pre-execution warning. In the context of a leveraged trading skill, this materially increases the chance of accidental fund exposure, excessive token allowance, and unintended high-risk positions being opened automatically.

Missing User Warnings

High
Confidence
99% confidence
Finding
The private key is silently loaded from a local file without any user-facing warning, consent, or indication that the script will access a sensitive credential. In the context of a trading skill with direct wallet integration, this is especially dangerous because it can immediately expose signing authority for live funds and makes misuse or accidental execution materially harmful.

Missing User Warnings

High
Confidence
97% confidence
Finding
The script automatically submits token approval and trade-opening transactions without any final confirmation step, despite these being irreversible on-chain actions. In a high-risk leveraged trading context, this increases the chance of accidental approvals, unintended exposure, or loss of funds from malformed inputs, misuse, or automation errors.

VirusTotal

65/65 vendors flagged this skill as clean.

View on VirusTotal