ClawHub

paper-test

Security checks across malware telemetry and agentic risk

Overview

This appears to be a disclosed paper-trading simulator that starts a local service and uses a quote API key, with some configuration and multi-account scoping caveats but no evidence of malicious behavior.

Install only if you are comfortable with a skill that creates a local Python environment, starts a localhost simulator, stores simulated trading records locally, and sends quote lookups with your Stocki API key to the configured gateway. Treat it as simulation only, review active WORKING orders before restarting, and be careful with multi-account setups because local authenticated event and account queries can expose all configured simulated accounts.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
  • Tool MisuseTool Parameter Abuse, Chaining Abuse, Unsafe Defaults
  • Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
  • MCP Least PrivilegeUnderdeclared Capability, Wildcard Permission, Missing Permission Declaration
Findings (11)

Lp3

Medium
Category
MCP Least Privilege
Confidence
91% confidence
Finding
The skill declares no permissions while its instructions clearly rely on environment variables, local file reads/writes, shell execution, and network access. That mismatch is dangerous because it hides the real capability surface from reviewers and users, making it easier for a seemingly simple trading skill to spawn processes, modify local state, and contact external services without explicit scrutiny.

Tp4

High
Category
MCP Tool Poisoning
Confidence
88% confidence
Finding
The public description frames the skill as a paper-trading assistant, but the instructions also authorize broader operational behavior such as lifecycle control, diagnostics, bootstrap/setup actions, reconciliation/event access, and local state initialization. This mismatch increases risk because users may invoke a skill expecting harmless read/write trading simulation while the agent is also empowered to run shell commands, alter local configuration, and manage services.

Description-Behavior Mismatch

Medium
Confidence
95% confidence
Finding
All authenticated callers share a single bearer token and the API does not bind that caller to a specific simulated trading account. Endpoints for accounts, positions, orders, fills, and events allow querying arbitrary account IDs or listing configured accounts, which enables cross-account data exposure and order intelligence leakage between tenants or users of the skill.

Context-Inappropriate Capability

Low
Confidence
89% confidence
Finding
The capabilities endpoint returns the full list of configured account identifiers to any authenticated caller, even though this is not necessary for market capability discovery. This leaks internal account inventory and makes it easier for a caller to target other endpoints with valid account IDs for additional data access.

Description-Behavior Mismatch

Medium
Confidence
94% confidence
Finding
The documentation states that omitting `account_id` returns events for all accounts, which expands visibility beyond the described single-account paper-trading scope (`acc_default`). If the agent follows this guidance, it could retrieve cross-account order and activity data unnecessarily, creating an authorization and data-exposure risk even in a simulated trading environment.

Missing User Warnings

Medium
Confidence
92% confidence
Finding
The README states that the skill will automatically spawn a local trading simulator on first use, but it does not clearly disclose that installing or invoking the skill causes a local process to be launched. Undisclosed process creation is a meaningful security and trust issue because it creates side effects on the user's machine, may open ports or consume resources, and reduces the user's ability to make an informed consent decision before execution.

Missing User Warnings

Medium
Confidence
95% confidence
Finding
The README says quote requests are delegated to a hosted market-data gateway, but it does not warn users that the skill performs external network access. Undisclosed outbound communication is dangerous because it can transmit usage patterns, symbols queried, account-related metadata, or other sensitive context to a third party, and users may operate in environments where network egress must be explicitly approved.

Missing User Warnings

Medium
Confidence
92% confidence
Finding
The file documents that `/v1/events` returns all accounts' events by default and provides no warning that this may expose other accounts' trading activity. Because the skill otherwise centers on one default account and recovery workflows, this default makes accidental over-collection of account data more likely and increases the chance an agent surfaces unrelated account activity to users.

Missing User Warnings

Medium
Confidence
94% confidence
Finding
The troubleshooting guide presents `start`/`stop` lifecycle commands before prominently warning that a restart cancels all WORKING orders. In a trading assistant, this can cause users or operators to trigger a restart during incident response and unintentionally lose simulated open orders, producing integrity and availability issues in the paper-trading workflow.

Autonomous Decision Making

Medium
Category
Excessive Agency
Content
python3 {baseDir}/scripts/diagnose.py

R7 covers explicit `lifecycle.py start | stop | status | logs`. In normal
chat, report outcomes only — do not ask the user to run lifecycle commands.

### First-run account setup
Confidence
71% confidence
Finding
do not ask the user

Tool Parameter Abuse

High
Category
Tool Misuse
Content
Calls `POST /v1/orders` via `scripts/_http.py`.

- **R2 — cancel order.** Triggers: "撤单", "取消", "cancel", "撤掉".
  → `references/cancel-order.md`. Calls `DELETE /v1/orders/{order_id}`.

- **R3 — account state.** Triggers: "余额", "持仓", "盈亏", "balance",
  "positions", "P&L". → `references/account-state.md`. Calls
Confidence
86% confidence
Finding
DELETE /v1/orders/{order_id}`.

VirusTotal

66/66 vendors flagged this skill as clean.

View on VirusTotal