ClawHub

Kraken CLI

Security checks across malware telemetry and agentic risk

Overview

This appears to be a legitimate Kraken CLI, but it needs review because it can send arbitrary signed exchange API requests outside its confirmed alias workflow.

Install only if you intend to let an agent operate a Kraken account. Use dedicated least-privilege API keys, prefer read-only keys unless trading is required, avoid withdrawal permissions unless essential, keep OPENCLAW_KRAKEN_CONFIG and endpoint/base URL settings under your control, and require explicit operator approval before any raw private, futures raw, withdrawal, transfer, or arbitrary websocket use.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
  • Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
Findings (4)

Description-Behavior Mismatch

Medium
Confidence
84% confidence
Finding
The endpoint catalog exposes privileged capabilities beyond the skill's stated purpose, including subaccount creation/transfers and Earn allocation management. In an agent setting with OpenClaw-managed secrets, this scope expansion increases the chance that a user or prompt-injected workflow can trigger high-impact account changes that operators did not intend to grant, violating least privilege and making destructive or financially significant actions available under a misleading description.

Missing User Warnings

Medium
Confidence
90% confidence
Finding
The raw private mode allows arbitrary signed Kraken private API requests after only checking that private credentials exist, with no endpoint allowlist and no confirmation gate for state-changing operations. In a skill explicitly designed to perform trading and funding actions, this increases the chance of accidental or induced execution of sensitive account actions such as withdrawals, transfers, order placement, or configuration changes.

Missing User Warnings

Medium
Confidence
95% confidence
Finding
The script directly sources a file path taken from the OPENCLAW_KRAKEN_CONFIG environment variable, which executes arbitrary shell code in the current process rather than merely parsing configuration values. In a skill that manages exchange credentials and guarded trading actions, a malicious or tampered config file could run commands, exfiltrate secrets, alter endpoints, or weaken safety controls before any later safeguards apply.

Missing User Warnings

Medium
Confidence
93% confidence
Finding
This function automatically attaches Kraken Futures API credentials and signs requests whenever an endpoint is marked as signed, but there is no user-facing confirmation, warning, or secondary authorization gate at the point of dispatch. In a trading skill that can act on live account state and funding/trading endpoints, this increases the risk of accidental authenticated actions, especially if upstream alias selection or payload construction is mistaken or prompt-influenced.

VirusTotal

66/66 vendors flagged this skill as clean.

View on VirusTotal