ClawHub

Gate Flash Swap Skill

Security checks across malware telemetry and agentic risk

Overview

This Gate crypto swap skill is mostly purpose-aligned, but it gives agents real trading authority while relying on under-scoped balance access, one-click execution, and a mutable external rules file.

Review carefully before installing. Use only a narrowly scoped Gate authorization, avoid one-click/direct swap wording unless you truly want immediate execution, and be especially cautious with requests like “convert all” or “sweep balances” because the skill may inspect holdings and convert full balances. The mutable external runtime-rules dependency also means behavior can change outside this reviewed package.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
  • Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
  • MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
Findings (6)

Description-Behavior Mismatch

Medium
Confidence
96% confidence
Finding
The skill explicitly restricts tool usage to the listed MCP tools, but its many_to_one_all workflow instructs the agent to query spot balances using an undocumented capability. This creates a specification gap where an agent may either violate the tool allowlist or improvise unsupported access, undermining least privilege and making behavior unpredictable.

Scope Creep

High
Confidence
98% confidence
Finding
The skill declares only Fc:Write permission, yet later requires reading spot account balances to implement the 'convert all holdings' flow. That mismatch can push operators to overgrant permissions or cause agents to access sensitive account data outside the declared authorization model, violating least-privilege expectations for a financial skill.

Description-Behavior Mismatch

Medium
Confidence
84% confidence
Finding
This scenario adds portfolio balance inspection and bulk holdings consolidation behavior that is materially broader than the stated skill purpose of instant conversion/exchange. Expanding from a user-directed swap into automatic balance discovery and sweeping multiple assets increases the chance of overbroad asset access, unintended liquidation, and user surprise in a financial context.

Vague Triggers

Medium
Confidence
91% confidence
Finding
The trigger conditions include broad terms like 'swap', 'convert', and 'exchange', which are common in benign informational or unrelated contexts. In a skill with write-capable financial tools, overbroad activation increases the chance of the agent entering an execution workflow unexpectedly and steering users toward account-affecting operations.

Vague Triggers

Medium
Confidence
88% confidence
Finding
The manifest description advertises vague trigger phrases such as 'convert USDT to BTC' and 'swap multiple coins' without enough scoping to distinguish informational queries from actual exchange intent. Because this skill can perform write operations, ambiguous routing metadata can cause accidental selection and increase the risk of unintended trading flows.

Missing User Warnings

Medium
Confidence
95% confidence
Finding
The one-click flow explicitly permits immediate trade execution without a separate confirmation step, despite involving irreversible financial transactions subject to quote changes, slippage, and user misunderstanding. In a crypto trading skill, this context makes the issue more dangerous because ambiguous phrasing or prompt injection in surrounding conversation could trigger real asset conversion without an adequate user-consent checkpoint.

VirusTotal

65/65 vendors flagged this skill as clean.

View on VirusTotal