ClawHub

[1m-trade] AI Autonomous Trading

Security checks across malware telemetry and agentic risk

Overview

This skill openly provides crypto market data, wallet setup, and live autonomous trading, but it grants recurring real-money trading and sensitive wallet-key handling with insufficient guardrails.

Install only if you intentionally want to give this skill trading authority. Prefer read-only market analysis unless you have reviewed hl1m, understand the proxy/API key permissions, can secure the .env file, and are comfortable with a cron job that may place live trades. Do not paste main wallet private keys into chat; use scoped proxy keys only, and disable or remove the cron job when you are not actively using autonomous trading.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
  • Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
  • MCP Least PrivilegeUnderdeclared Capability, Wildcard Permission, Missing Permission Declaration
Findings (26)

Lp3

Medium
Category
MCP Least Privilege
Confidence
92% confidence
Finding
The skill declares no explicit permissions while its instructions clearly require shell execution, environment access, and local state manipulation. This mismatch weakens host-side trust boundaries because a user or platform may treat the skill as low-privilege even though it can drive sensitive actions such as wallet initialization, dependency installation, and cron creation.

Intent-Code Divergence

Medium
Confidence
88% confidence
Finding
The file creates a safety-boundary mismatch: this agent says Trend Trader must not execute trades automatically, while the broader skill metadata advertises fully autonomous AI trading. In an on-chain trading context, conflicting instructions can cause an orchestrator or downstream agent to treat advisory output as authorization to trade, leading to unintended financial transactions.

Intent-Code Divergence

Medium
Confidence
84% confidence
Finding
The autonomous workflow says both 'Do not create or modify any files' and also requires overwriting a dependency memory file. Contradictory instructions are dangerous because agents may resolve the conflict unpredictably and still perform writes, reducing auditability and increasing the chance of unintended state changes during unattended execution.

Description-Behavior Mismatch

Medium
Confidence
89% confidence
Finding
Although presented as an orchestration skill, it also directs package installation, cron-job lifecycle management, and unattended execution setup. That expands its authority far beyond simple routing and creates a pathway from normal conversation into persistent system changes and autonomous financial actions.

Context-Inappropriate Capability

Medium
Confidence
90% confidence
Finding
The skill instructs the agent to install or enable missing skills through unspecified system mechanisms. Auto-install behavior is risky because it allows the skill to expand its own capabilities at runtime, potentially pulling in unreviewed code or changing the execution environment without informed approval.

Vague Triggers

Medium
Confidence
77% confidence
Finding
The Market Scout agent can be triggered by a very generic phrase such as 'How is the market today?', which increases the chance of accidental or hidden invocation from normal conversation. In multi-agent environments, broad activation patterns can be abused through prompt injection or indirect user content to trigger actions the user did not explicitly intend.

Vague Triggers

Medium
Confidence
91% confidence
Finding
The Wallet Setup trigger is especially risky because it combines broad natural-language matching with multilingual equivalents and a workflow that may process wallet addresses and proxy private keys. Overbroad activation in a credential-handling flow increases the chance that unrelated text, pasted logs, or adversarial prompts cause the agent to parse secrets and initiate sensitive wallet-binding commands.

Vague Triggers

Medium
Confidence
80% confidence
Finding
Using common conversational questions like 'Can I buy BTC now?' as an activation condition makes the trading workflow easy to invoke unintentionally. In a skill ecosystem that includes DEX interaction and autonomous trading claims, ambiguous triggers increase the risk that routine discussion escalates into market queries or trade-oriented workflows without clear user consent.

Missing User Warnings

Medium
Confidence
95% confidence
Finding
The instructions tell the system to pass a proxy private key directly into a shell command, which exposes sensitive material to process arguments, shell history, logs, telemetry, and crash reports. In a wallet-management and trading skill, even a proxy/API private key can enable unauthorized trading or account manipulation, so this handling pattern materially increases credential-compromise risk.

Vague Triggers

Medium
Confidence
86% confidence
Finding
Broad triggers like 'price', 'news', 'open', and 'managed' can match ordinary conversation and accidentally route the agent into wallet, trading, or automation workflows. In this skill, that ambiguity is more dangerous because routed flows can lead to shell commands, secret handling, and real trading actions.

Vague Triggers

Medium
Confidence
83% confidence
Finding
The skill says it routes based on 'intent keywords' but does not define strong boundaries for when workflows must not run. This makes false activation more likely, especially for sensitive paths like wallet binding and autonomous trading, where a mistaken interpretation can trigger high-impact actions.

Missing User Warnings

High
Confidence
95% confidence
Finding
The skill enables real-money autonomous trading on a schedule and instructs the agent to avoid intermediate confirmations. That is high risk because it combines unattended financial execution, recurring operation, and command/control persistence without strong user-facing warnings, loss limits, or per-run approval.

Missing User Warnings

Medium
Confidence
93% confidence
Finding
The wallet-binding flow encourages users to provide a wallet address and proxy private key in chat so the agent can execute a shell command. Even though it says not to echo secrets, collecting credentials through chat and passing them into command execution materially increases the risk of credential exposure, logging leakage, prompt injection abuse, and unauthorized trading.

Vague Triggers

Medium
Confidence
94% confidence
Finding
The wallet-binding trigger is broad enough that ordinary setup/help requests could cause the agent to enter a sensitive credential-handling flow. In this skill’s context, that raises the chance of soliciting or processing wallet addresses and proxy private keys during ambiguous interactions, which can lead to secret exposure or unintended account binding.

Vague Triggers

Medium
Confidence
95% confidence
Finding
Marking recognized intents as 'non-exhaustive' with loosely defined wording creates ambiguous scope for when the agent should treat a message as authorization to process wallet-binding data. In a crypto trading skill, this ambiguity is especially dangerous because it can cause the model to over-interpret natural language and ingest highly sensitive key material without clear user intent.

Missing User Warnings

Medium
Confidence
91% confidence
Finding
The document presents live trading commands such as market orders, leverage updates, margin transfers, and blanket order cancellation with no explicit warning that these actions can execute on mainnet and cause immediate financial loss. In an autonomous AI trading skill, omission of strong safety guidance materially increases the chance that a user or agent runs destructive commands unintentionally.

Missing User Warnings

Medium
Confidence
95% confidence
Finding
The wallet-binding section instructs users to pass a private key directly on the command line and even encourages natural-language extraction of address and proxy private key for automated execution. Command-line secrets can leak via shell history, process inspection, logs, agent transcripts, or telemetry, making credential compromise and unauthorized trading realistically exploitable.

Vague Triggers

Medium
Confidence
76% confidence
Finding
The trigger phrases for the market snapshot scenario are broad enough that normal user conversation could unintentionally activate the skill and cause outbound API requests. In an autonomous agent context, overbroad routing can lead to unexpected tool use, unnecessary network activity, and unintended disclosure of market-intent context to a third-party API.

Vague Triggers

Medium
Confidence
76% confidence
Finding
Open-ended fund-flow triggers such as 'where is money flowing' or 'smart money' are ambiguous and can match ordinary discussion, causing unintended invocation. In a skill that performs external requests, this creates a prompt-routing vulnerability where benign conversation may trigger unneeded calls and data handling.

Vague Triggers

Medium
Confidence
78% confidence
Finding
The macro scenario includes vague phrases like 'is it a good entry,' which can occur in many contexts and may route unrelated conversations into this skill. Because the skill then performs multiple external API calls and returns trading-oriented analysis, accidental activation can produce unintended autonomous behavior.

Vague Triggers

Medium
Confidence
75% confidence
Finding
The derivatives trigger set is underspecified and includes broad concepts like 'leverage risk,' which may overlap with general financial discussion. This can cause the agent to invoke the skill unexpectedly and issue third-party API requests based on ambiguous user language.

Vague Triggers

Medium
Confidence
80% confidence
Finding
Keyword-search triggers like 'search [keyword]' and '[keyword] news' are especially collision-prone because they mirror common assistant requests. In this skill, such broad matching can redirect generic search requests into a specialized third-party API workflow without clear user consent.

Vague Triggers

Medium
Confidence
82% confidence
Finding
The intent-mapping table contains broad phrases without exclusion logic, increasing the chance of routing collisions with other skills or ordinary conversation. In an agent ecosystem, this can lead to unintended skill selection, unnecessary network access, and confusing or unsafe autonomous behavior.

Credential Access

High
Category
Privilege Escalation
Content
- hl1m
        - openclaw
      configPaths:
        - ~/.openclaw/.1m-trade/.env
        - $OPENCLAW_STATE_DIR/.1m-trade/.env
      env:
        - BLOCKBEATS_API_KEY
Confidence
88% confidence
Finding
.env

Credential Access

High
Category
Privilege Escalation
Content
- openclaw
      configPaths:
        - ~/.openclaw/.1m-trade/.env
        - $OPENCLAW_STATE_DIR/.1m-trade/.env
      env:
        - BLOCKBEATS_API_KEY
        - HYPERLIQUID_PRIVATE_KEY_ENC
Confidence
96% confidence
Finding
.env

VirusTotal

VirusTotal findings are pending for this skill version.

View on VirusTotal