ClawHub
Back to skill

Security audit

Trade Agent

Security checks across malware telemetry and agentic risk

Overview

This appears to be a real AIUSD trading skill, but it can move funds and uses automatic installer/auth flows that need careful review.

Install only if you intentionally want this bot to access your AIUSD account and potentially trade, stake, withdraw, or top up gas. Use a trusted private device and bot session, inspect or sandbox the installer before running it, back up any existing aiusd-skill directory, and require manual confirmation of asset, amount, destination, chain, fees, and slippage before any transaction moves funds.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
  • MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
Findings (14)

Intent-Code Divergence

Medium
Confidence
89% confidence
Finding
The skill defines two conflicting authentication behaviors: one section mandates that the agent only return a minimal browser-auth message, while later sections instruct it to automatically run re-auth commands, clear auth caches, and report completion. In a financial skill, contradictory auth handling can lead to unsafe or misleading agent behavior, including destructive cache clearing, confused recovery flows, and accidental execution of privileged re-auth actions without clear user intent.

Intent-Code Divergence

Medium
Confidence
90% confidence
Finding
The header materially misrepresents the file as a self-contained skill package when the visible code is actually an installer stub that deletes directories, extracts opaque bundled content, and executes package-management commands. This deception reduces user scrutiny and hides the real trusted computing base inside an embedded archive, which is risky in a security-sensitive installer context.

Context-Inappropriate Capability

High
Confidence
98% confidence
Finding
The installer executes shell commands and performs `npm install` on extracted opaque content, which can run arbitrary lifecycle scripts from the embedded package. Because the payload is hidden in base64 and not reviewed here, this gives the package broad code execution on the host during installation.

Context-Inappropriate Capability

Medium
Confidence
95% confidence
Finding
The script unconditionally removes and recreates the `aiusd-skill` directory under the current working directory. This can destroy existing local data or overwrite prior installations without validating ownership, contents, or obtaining consent.

Intent-Code Divergence

Medium
Confidence
90% confidence
Finding
The installer unconditionally removes an existing ./aiusd-skill directory before extraction, which can destroy user data or overwrite a prior installation without consent. In a self-extracting installer for an untrusted skill, destructive filesystem behavior is risky because users may not expect data loss from what appears to be a simple extraction step.

Intent-Code Divergence

Medium
Confidence
94% confidence
Finding
The script presents itself as extracting and decoding an embedded archive, but then runs npm install on the extracted package. npm install can execute arbitrary lifecycle scripts from package.json and dependencies, so this is materially more dangerous than passive extraction and creates hidden code-execution risk.

Context-Inappropriate Capability

High
Confidence
98% confidence
Finding
Running npm install on unknown extracted contents is a direct arbitrary-code-execution pathway because npm lifecycle hooks and transitive dependency scripts execute with the user's privileges. Since the embedded archive is opaque in this review and the skill is of unknown purpose, the installer meaningfully increases attack surface beyond simple file unpacking.

Missing User Warnings

Medium
Confidence
92% confidence
Finding
The README encourages users to install a skill via drag-and-drop into chat and then perform sensitive financial operations such as trading, withdrawals, and staking, but it does not clearly warn about irreversible transactions, financial loss, or the need for explicit confirmation before account-affecting actions. In a bot skill handling crypto assets, this omission increases the risk of unsafe user behavior, accidental execution, and over-trust in automated actions.

Missing User Warnings

Medium
Confidence
82% confidence
Finding
The skill advertises high-risk financial operations including trading, staking, withdrawals, and gas top-ups, but the opening description lacks clear user-facing safety boundaries such as irreversible transfer risk, market loss risk, and the need for explicit confirmation before executing actions. In this context, omission of these warnings increases the chance that an agent performs or recommends sensitive actions without adequate informed consent.

Missing User Warnings

High
Confidence
94% confidence
Finding
The withdrawal capability is documented as a normal tool action but does not explicitly warn that transfers to external wallet addresses may be irreversible and unrecoverable if the destination address or chain is wrong. Because this skill operates on financial assets, that omission materially raises the risk of permanent fund loss from agent or user error.

Missing User Warnings

Medium
Confidence
97% confidence
Finding
Deleting any existing `aiusd-skill` directory without confirmation is unsafe because it can cause irreversible data loss and may remove unrelated user files placed there. In an installer, silent destructive behavior increases the chance of accidental damage and lowers user awareness of risk.

Missing User Warnings

Medium
Confidence
98% confidence
Finding
The installer extracts bundled content and immediately runs shell/package-management commands without an upfront warning about code execution. Since `npm install` may execute package scripts and the archive contents are opaque, users are exposed to hidden arbitrary execution during installation.

Missing User Warnings

Medium
Confidence
95% confidence
Finding
The script deletes an existing target directory with rm -rf without asking the user to confirm. This can cause irreversible loss of local files and is especially unsafe in an installer distributed as a convenience script, where users may run it from directories containing important working copies.

Missing User Warnings

Medium
Confidence
92% confidence
Finding
After extracting opaque package contents, the installer immediately performs actions that may execute code, yet it does not clearly warn the user that installation scripts may run. For a skill installer, this hidden execution step is more dangerous because the embedded payload is not human-reviewable at a glance and could contain malicious package scripts.

VirusTotal

65/65 vendors flagged this skill as clean.

View on VirusTotal