ClawHub

Automated crypto take-profit orders

Security checks across malware telemetry and agentic risk

Overview

This instruction-only crypto trading skill is not clearly malicious, but its take-profit framing understates a broader wallet-signing workflow that can create multiple swap order types and send signed order data to an external relay.

Review before installing. Use this only if you intend to create crypto swap orders beyond simple take-profit orders, trust the Orbs Spot contracts and relay endpoint, and can independently verify every approval amount, chain ID, contract address, token address, recipient, deadline, nonce, and signed payload before submission.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
  • Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
Findings (7)

Description-Behavior Mismatch

Medium
Confidence
91% confidence
Finding
The README presents the skill as a broad advanced-order DeFi protocol rather than a narrowly scoped take-profit skill. In an agent context, this scope expansion can mislead users or orchestrators into granting broader trust and enabling workflows beyond the declared purpose, increasing the chance of unintended token-spending or order-placement actions.

Description-Behavior Mismatch

Medium
Confidence
88% confidence
Finding
Documenting batching multicalls and token sweeping in a take-profit skill broadens the apparent operational authority of the package beyond the expected user intent. In an agent-integrated environment, such extra admin or fund-movement capabilities can normalize dangerous actions and make it easier for downstream consumers to underestimate the skill's effective power.

Missing User Warnings

Medium
Confidence
84% confidence
Finding
The README describes signing orders, transferring input tokens, and onchain execution flow without a prominent warning that these actions can spend funds irreversibly and incur loss from market movement, slippage, or misconfiguration. For an agent skill handling DeFi actions, insufficient risk disclosure increases the likelihood that users or autonomous systems invoke token-spending behavior without understanding the financial consequences.

Missing User Warnings

Medium
Confidence
96% confidence
Finding
The examples explicitly tell users to copy and modify relay payloads, including signature handling, without a strong warning that these are transaction-like artifacts that can lead to real order submission or unsafe signature reuse/mishandling. In a crypto trading skill context, users may treat examples as safe templates, increasing the risk of accidental live submissions, malformed signed data, or confusion around whether signatures can be reused or altered safely.

Missing User Warnings

Medium
Confidence
88% confidence
Finding
The skill instructs the user to transmit a signed order and its signature to a third-party relay endpoint without any explicit warning about what data leaves the local environment, who receives it, or the trust assumptions involved. While submission to a relay is functionally necessary for this workflow, signed payload transmission can expose sensitive trading intent and create privacy, replay-handling, or user-consent issues if the endpoint is misconfigured, spoofed, or not clearly authenticated to the user.

External Transmission

Medium
Category
Data Exfiltration
Content
status: "pending",
};

const response = await fetch("https://agents-sink.orbs.network/orders/new", {
  method: "POST",
  headers: { "content-type": "application/json" },
  body: JSON.stringify(relayPayload),
Confidence
90% confidence
Finding
fetch("https://agents-sink.orbs.network/orders/new", { method: "POST"

External Transmission

Medium
Category
Data Exfiltration
Content
'{order: $typed[0].message, signature: $sig, status: "pending"}' \
  > ./relay-payload.json

curl -fsS -X POST 'https://agents-sink.orbs.network/orders/new' \
  -H 'content-type: application/json' \
  --data @./relay-payload.json
```
Confidence
90% confidence
Finding
curl -fsS -X POST 'https://agents-sink.orbs.network/orders/new' \ -H 'content-type: application/json' \ --data @./relay-payload.json ``` 12. Canonical JavaScript submit path with `ethers` plus st

VirusTotal

63/63 vendors flagged this skill as clean.

View on VirusTotal