ClawHub

moss-trade-bot-factory-en

Security checks across malware telemetry and agentic risk

Overview

This trading-bot skill is mostly transparent, but it needs Review because it can store platform trading credentials and run automatic order actions with limited built-in safeguards.

Install only if you are comfortable with a skill that can submit trading-bot data to the configured platform, store platform API credentials locally, and run automated simulated-trading order loops. Review the configured platform URL and credentials path, keep the credentials file private, set a finite max-cycles value for live runs, and require an explicit confirmation before any upload or auto-trading session.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
  • MCP Least PrivilegeUnderdeclared Capability, Wildcard Permission, Missing Permission Declaration
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
Findings (5)

Lp3

Medium
Category
MCP Least Privilege
Confidence
96% confidence
Finding
The skill instructs the agent to perform shell execution, local file reads/writes, Python environment setup, and optional network access, yet the manifest declares no permissions or equivalent capability gating. This creates a real trust-boundary problem: a host or reviewer may assume the skill is non-privileged while it can install packages, fetch remote data, store credentials, and invoke external services after only conversational prompts.

Vague Triggers

Medium
Confidence
94% confidence
Finding
The upload trigger is defined as explicit phrases like 'upload' or 'submit for verification' plus vague 'or equivalent' wording, which creates ambiguity about what user intent is sufficient to initiate an external submission. In a skill that can package and transmit trading bot artifacts and credentials to a remote platform, underspecified authorization boundaries increase the risk of unintended network actions from loosely phrased user requests.

Vague Triggers

Medium
Confidence
96% confidence
Finding
The manual states that if the user says 'start auto trading,' that alone authorizes direct auto mode without per-order confirmation, but it does not define clear exclusion boundaries or require a fresh, high-assurance confirmation. Because this capability can place real market orders repeatedly, broad natural-language authorization materially increases the chance of accidental or premature activation of automated trading.

Missing User Warnings

High
Confidence
92% confidence
Finding
The CLI exposes destructive trading operations (`open-long`, `open-short`, `close`) that can be invoked directly with credentials and parameters, without any interactive confirmation, dry-run mode, or explicit warning at execution time. In a trading skill, this is especially risky because a mistaken command, automation error, or prompt-induced invocation can immediately create or close positions with financial consequences.

Missing User Warnings

Medium
Confidence
88% confidence
Finding
The `bind` flow saves `api_key` and `api_secret` to a JSON file in plaintext with no warning, permission hardening, or encryption. If the file is stored in a shared home directory, committed accidentally, or read by other local processes/users, an attacker could reuse the credentials to access the linked trading account or bot.

VirusTotal

65/65 vendors flagged this skill as clean.

View on VirusTotal