ClawHub

moss-trade-bot-factory

Security checks across malware telemetry and agentic risk

Overview

This trading-bot skill is mostly coherent, but it can store reusable platform credentials and run unattended leveraged trading after a broad approval.

Install only if you intentionally want a skill that can move from local crypto backtests to platform-connected live trading. Verify the platform URL, protect or rotate the saved credentials, use low leverage and small position limits, set a max cycle count for live runs, and do not enable automatic trading unless unattended orders are acceptable.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
  • Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
  • MCP Least PrivilegeUnderdeclared Capability, Wildcard Permission, Missing Permission Declaration
  • MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
Findings (11)

Lp3

Medium
Category
MCP Least Privilege
Confidence
94% confidence
Finding
The skill directs the agent to perform shell execution, local file reads/writes under /tmp and user home, and optional network access to an external platform, yet declares no permissions. This creates a capability/permission mismatch that weakens user awareness and platform policy enforcement, especially in a trading context where local credential files and outbound requests are involved.

Description-Behavior Mismatch

Medium
Confidence
92% confidence
Finding
The file provides real credentialed trading and realtime bot creation operations, including opening and closing positions, despite the broader skill being described primarily around local backtesting and simulation. This mismatch can mislead users or downstream agents into granting credentials or invoking live-market actions they did not expect, increasing the chance of unauthorized or risky financial operations.

Intent-Code Divergence

Medium
Confidence
89% confidence
Finding
The module docstring frames the tool as a simulation-platform CLI, but the implemented commands perform live trading actions such as opening and closing positions. In a trading context, misleading labeling is dangerous because users may treat the tool as non-production or low-risk and accidentally execute irreversible market orders with real funds.

Missing User Warnings

Medium
Confidence
95% confidence
Finding
This documentation encourages use of extreme leverage, large per-trade capital allocation, and profit-amplifying rolling positions, but does not include a clear risk disclosure about liquidation, rapid capital loss, or the compounding danger of combining these settings. In the context of a bot factory that can create and validate trading strategies, omission of such warnings can materially increase the chance that users deploy hazardous configurations without understanding the downside.

Missing User Warnings

Medium
Confidence
94% confidence
Finding
This script is explicitly designed to place and close live trades automatically using API credentials, and the usage/help text does not provide a strong real-money warning, dry-run default, or interactive confirmation before irreversible actions occur. In the context of an agent skill that creates and runs trading bots from natural-language input, this increases the chance of accidental live execution, credential misuse, or unexpected financial loss rather than being a merely theoretical concern.

Missing User Warnings

Medium
Confidence
95% confidence
Finding
The CLI exposes direct order-placement and position-closing commands without confirmation prompts, dry-run mode, or explicit risk acknowledgement. In an agent-driven or automated setting, a mistaken invocation, prompt injection, or parameter mix-up could immediately trigger real financial trades and losses.

Missing User Warnings

Medium
Confidence
91% confidence
Finding
The bind flow writes API credentials, including the API secret, to disk in plaintext JSON with no permission hardening or prominent secrecy warning. If the file path is in a shared directory, synced folder, or weakly permissioned home directory, credential theft could enable unauthorized account access and live trading activity.

Unpinned Dependencies

Low
Category
Supply Chain
Content
pandas>=2.0.0
numpy>=1.24.0
ccxt>=4.0.0
scipy>=1.11.0
Confidence
97% confidence
Finding
pandas>=2.0.0

Unpinned Dependencies

Low
Category
Supply Chain
Content
pandas>=2.0.0
numpy>=1.24.0
ccxt>=4.0.0
scipy>=1.11.0
Confidence
97% confidence
Finding
numpy>=1.24.0

Unpinned Dependencies

Low
Category
Supply Chain
Content
pandas>=2.0.0
numpy>=1.24.0
ccxt>=4.0.0
scipy>=1.11.0
Confidence
98% confidence
Finding
ccxt>=4.0.0

Unpinned Dependencies

Low
Category
Supply Chain
Content
pandas>=2.0.0
numpy>=1.24.0
ccxt>=4.0.0
scipy>=1.11.0
Confidence
97% confidence
Finding
scipy>=1.11.0

VirusTotal

65/65 vendors flagged this skill as clean.

View on VirusTotal