ClawHub

nadfunagent

Security checks across malware telemetry and agentic risk

Overview

This is a real autonomous crypto trading skill, but it asks for wallet private keys, can run unattended live trades, stores sensitive configuration, and contains unsafe shell-command construction.

Review carefully before installing. Use only a dedicated low-balance wallet, never paste a production private key into chat, avoid unattended cron until you understand the strategy, and prefer dry-run/manual review. The shell-command construction and private-key handling should be fixed before using this with meaningful funds.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
  • Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
  • MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
Findings (28)

Context-Inappropriate Capability

Medium
Confidence
90% confidence
Finding
The script performs persistent local file reads and writes to maintain a trading report, which is a capability beyond the core action implied by a token-buying utility. In a security-sensitive trading script that already uses private keys and sends transactions, undisclosed filesystem side effects increase risk by creating local artifacts, leaking trading history, and violating least surprise for users.

Context-Inappropriate Capability

Medium
Confidence
90% confidence
Finding
The script reads a blockchain private key from environment or a local .env file and then uses it to enable automatic asset sales via a child process. In a skill context, this is dangerous because credential access plus autonomous trade execution creates direct risk of unauthorized or unintended financial transactions, especially when no manifest or permission boundary is present to constrain that behavior.

Intent-Code Divergence

Low
Confidence
84% confidence
Finding
The header advertises a monitoring use case, but the code always requires MONAD_PRIVATE_KEY before doing any work, even for non-selling runs. This is risky because it unnecessarily expands credential exposure: a read-only monitoring operation should not force users to provide a signing key.

Missing User Warnings

Medium
Confidence
95% confidence
Finding
The documentation explicitly tells users to run trading scripts such as buy/sell and bonding execution flows, but it does not warn that these scripts may submit live on-chain transactions affecting real funds and positions. In a crypto trading skill context, omission of that warning materially increases the risk of accidental asset loss or unintended market activity by users who assume the commands are safe checks or dry runs.

Missing User Warnings

Medium
Confidence
97% confidence
Finding
The post-install step instructs users to run `node execute-bonding-v2.js` as a routine validation step, which strongly implies it is safe, even though the filename and repository context suggest it may execute live trading logic. Presenting a potentially state-changing financial operation as a simple install check can cause immediate irreversible transactions and direct monetary loss.

Vague Triggers

Medium
Confidence
79% confidence
Finding
The documentation uses a natural-language trigger phrase, "Initialize nadfunagent," to activate setup. In chat-based agent systems, overly broad or guessable trigger phrases can be invoked accidentally or by social engineering, causing unintended initialization or configuration flows.

Missing User Warnings

High
Confidence
95% confidence
Finding
The cron setup enables autonomous trading and profit distribution on a live blockchain without an explicit warning that real funds may be moved or lost. Users may enable recurring execution without understanding that the agent can place trades and transfer value automatically, increasing the risk of financial loss.

Missing User Warnings

High
Confidence
96% confidence
Finding
The installation guide instructs users to place a blockchain private key in a local `.env` file but does not clearly warn about secret-handling risks such as shell history leakage, backups, process exposure, accidental sharing, or malware on the host. For a trading agent controlling funds, weak credential guidance materially increases the chance of wallet compromise.

Missing User Warnings

Medium
Confidence
91% confidence
Finding
The README instructs users to enable autonomous recurring mainnet trading and profit distribution on a 10-minute cron schedule, but it does not prominently warn that this can continuously spend funds, execute sells, and transfer profits on mainnet. In an agent-skill context, operational instructions are likely to be copied directly, so the lack of explicit safety gating makes accidental financial loss or unintended on-chain actions substantially more likely.

Missing User Warnings

High
Confidence
99% confidence
Finding
The skill instructs collection and persistence of highly sensitive data, including wallet secrets, into agent memory/session storage without an explicit safety boundary or minimization policy. In an agent environment, persistent memory may be exposed to logs, other skills, later prompts, or unauthorized operators, leading to wallet compromise and fund theft.

Missing User Warnings

High
Confidence
99% confidence
Finding
Requesting a blockchain private key directly from the user or loading it from local configuration without an explicit credential-handling warning normalizes unsafe secret sharing. If the key is entered into chat or broadly accessible config, compromise of the agent, transcript, or host can immediately result in irreversible theft of on-chain assets.

Missing User Warnings

High
Confidence
97% confidence
Finding
The skill is designed to autonomously trade and distribute profits using real funds, yet it does not provide a clear up-front warning about irreversible financial transactions. Users may invoke it without understanding that it can buy, sell, and transfer assets automatically, causing unexpected monetary loss.

Missing User Warnings

Medium
Confidence
90% confidence
Finding
The skill requires writing discovered trading-related token data to disk without informing the user that local artifacts will be created and retained. While not as severe as private-key exposure, persistent trading data can leak strategy, holdings interest, and market activity to other local users, malware, or backup systems.

Missing User Warnings

High
Confidence
98% confidence
Finding
This section combines private-key use with automated sell logic, but lacks a strong warning that on-chain sales are irreversible and can liquidate user positions without interactive review. In the context of an autonomous trading agent, that materially increases the risk of accidental or undesired fund movements.

Missing User Warnings

High
Confidence
98% confidence
Finding
The buy-execution instructions tell the operator to use a private key to purchase tokens without prominently warning about speculative financial risk, slippage, and irreversible on-chain execution. This can mislead users into exposing credentials and authorizing trades they do not fully understand.

Missing User Warnings

High
Confidence
98% confidence
Finding
The profit-distribution workflow performs bulk direct transfers to token holders but does not clearly warn that these transfers are irreversible and may send funds to unintended recipients if holder discovery is wrong. In a blockchain setting, mistakes in recipient set or calculation can permanently misdirect assets at scale.

Missing User Warnings

Medium
Confidence
89% confidence
Finding
The documentation advertises `--auto-sell` behavior that will execute real sell transactions based on price thresholds, but it does not clearly warn users that this can cause immediate live asset disposition on-chain. In a trading skill, omission of an explicit warning increases the chance of accidental execution, especially because the command is presented as a routine monitoring step adjacent to harmless read-only checks.

Missing User Warnings

Medium
Confidence
93% confidence
Finding
The command examples include `NAD_PRIVATE_KEY=0x...` and direct buy/sell operations without an accompanying warning about secret handling, shell history exposure, and execution of live trades. In this context, users may paste real private keys into terminal commands and trigger irreversible blockchain transactions, creating both credential-compromise and financial-loss risk.

Missing User Warnings

Medium
Confidence
93% confidence
Finding
The README promotes fully automated mainnet trading and auto-sell behavior, including selling all positions and cron-driven execution, without prominently warning that these actions can irreversibly dispose of real assets and incur real financial loss. In the context of a trading skill, this omission materially increases the chance of unsafe operator use, especially if users run the scripts unattended or misunderstand that they target mainnet only.

Missing User Warnings

Medium
Confidence
89% confidence
Finding
The README instructs users to place a mainnet private key in an environment file and later demonstrates extracting it into a shell variable, but does not clearly warn that this credential grants direct control over funds and must be handled as highly sensitive secret material. In a mainnet trading context, weak guidance around secret handling raises the risk of accidental disclosure through shell history, misconfigured file permissions, logs, backups, or shared environments.

Missing User Warnings

Medium
Confidence
93% confidence
Finding
The script writes position data to disk without prior warning or consent, creating persistent records of wallet activity and token holdings. Even if the data is not secret like a private key, it is sensitive operational information that can expose trading behavior, wallet linkage, and local environment details if the host is shared or monitored.

Missing User Warnings

Medium
Confidence
87% confidence
Finding
When thresholds are met and --auto-sell is enabled, the script immediately executes a sell command without any just-in-time confirmation, cooldown, or secondary validation. In an automated trading skill, that can lead to irreversible asset liquidation from bad price data, manipulated API responses, misconfigured thresholds, or user misunderstanding of the flag.

Missing User Warnings

High
Confidence
97% confidence
Finding
The script invokes `check-pnl.js --auto-sell` and later executes buy orders automatically, with no interactive confirmation, dry-run safeguard, spending cap approval step, or explicit risk acknowledgement. In the context of an autonomous trading skill tied to a real wallet, this can immediately trigger irreversible asset sales and purchases if the script is misconfigured, manipulated upstream by API data, or simply makes poor decisions.

Missing User Warnings

High
Confidence
98% confidence
Finding
The private key is interpolated into a shell command as `NAD_PRIVATE_KEY=${privateKey} node buy-token.js ...`, exposing sensitive material to process listings, shell history/debug logs, crash reports, and potentially shell metacharacter injection if the key value is malformed or attacker-controlled. Because this skill performs real trading, compromise of the key would allow full wallet theft and unauthorized transactions.

Ssd 3

High
Confidence
99% confidence
Finding
The setup flow explicitly tells users they may provide `MONAD_PRIVATE_KEY` in chat and states that the agent will save configuration in OpenClaw memory for future use. Supplying wallet private keys through a conversational interface and persisting them in agent memory creates a severe credential-exposure risk through logs, memory inspection, prompt leakage, plugins, or future session compromise.

VirusTotal

64/64 vendors flagged this skill as clean.

View on VirusTotal