ClawHub

Crypto Executor

Security checks across malware telemetry and agentic risk

Overview

This is a disclosed Binance trading bot, but it can place real-money orders autonomously, persist across reboots, and run unpinned external helper code, so it needs careful review before installation.

Install only if you intentionally want an autonomous real-money Binance trading bot. Use a dedicated, IP-restricted Binance API key with withdrawals, transfers, margin, and futures disabled; start with testnet or a very small balance; audit and pin the oracle dependency; keep Telegram optional and private; and do not enable systemd auto-start until you have supervised behavior and know how to stop and disable it.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
  • Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
  • Rogue AgentSelf-Modification, Session Persistence
Findings (20)

subprocess module call

Medium
Category
Dangerous Code Execution
Content
def fetch(self, symbol):
        """Fetch data for single symbol."""
        try:
            result = subprocess.run(
                [sys.executable, str(self.oracle_script), "--symbol", symbol],
                capture_output=True,
                text=True,
Confidence
81% confidence
Finding
result = subprocess.run( [sys.executable, str(self.oracle_script), "--symbol", symbol], capture_output=True, text=True, time

Lp3

Medium
Category
MCP Least Privilege
Confidence
95% confidence
Finding
The skill advertises extensive capabilities that include credential use, filesystem persistence, network communication, and shell/subprocess execution, yet it does not declare an explicit permissions model. In a real-money trading context, this missing permission transparency prevents informed consent and weakens containment around sensitive operations such as order placement, local state mutation, and external code execution.

Tp4

High
Category
MCP Tool Poisoning
Confidence
90% confidence
Finding
The stated purpose emphasizes trading automation, but the skill also performs Telegram data transmission and invokes an external oracle script through subprocess. Those behaviors materially expand the trust boundary and attack surface, especially because subprocess execution can inherit environment credentials and external messaging can leak trading activity or sensitive operational data.

Context-Inappropriate Capability

Medium
Confidence
94% confidence
Finding
The guide instructs users/agents to clone and run an external repository and explicitly notes that the main bot invokes it via subprocess. Even with a suggestion to audit first, this expands the trust boundary to remote code that can change over time, creating a supply-chain and arbitrary code-execution risk in the same environment where trading credentials may be present.

Context-Inappropriate Capability

Medium
Confidence
96% confidence
Finding
The documentation directs cloning and executing code fetched from GitHub for both the executor and oracle during setup. Running remote code directly from mutable repositories is a classic software supply-chain risk, especially dangerous here because the same setup later loads API secrets and enables live trading.

Description-Behavior Mismatch

Medium
Confidence
95% confidence
Finding
The runtime loop never calls the closed-position monitoring path, so adaptive learning, performance metrics, and risk tuning are based on stale or incomplete data. In an autonomous trading engine this is security-relevant because safety controls and strategy adaptation can silently fail, causing the bot to continue trading with incorrect state and degraded risk management.

Intent-Code Divergence

Medium
Confidence
96% confidence
Finding
The code claims to detect OCO-triggered closes and update portfolio/Kelly, but that method is not exercised in the main runtime flow. This creates a false sense of protection: users may believe positions are reconciled and risk controls updated when in reality open-position records, performance metrics, and loss calculations can drift from exchange reality.

Missing User Warnings

High
Confidence
91% confidence
Finding
The guide tells the user to launch executor.py and presents expected trading output, but it does not place an immediate, explicit warning at the run step that this is live trading capable of placing real market orders with loaded Binance credentials. In the context of an autonomous trading bot, this omission materially increases the chance of unintended financial loss.

Missing User Warnings

Medium
Confidence
91% confidence
Finding
The README's quick-start flow presents `python3 executor.py` as a normal run command and shows successful startup output for a live trading engine, but it does not place a prominent, immediate warning at the execution step that this will submit real Binance orders and write persistent portfolio/trade state. In a skill whose entire purpose is autonomous exchange trading, understated disclosure materially increases the risk that a user runs it against production credentials and triggers unintended financial loss and account changes.

Missing User Warnings

Medium
Confidence
83% confidence
Finding
The documentation describes reporting and automation but does not prominently warn that the skill persists multiple sensitive trading state files locally and sends trade/performance information to Telegram. In a financial execution skill, incomplete disclosure can cause users to expose portfolio data, strategy state, and operational telemetry without realizing the retention and transmission scope.

Natural-Language Policy Violations

Medium
Confidence
88% confidence
Finding
The document uses strong safety/profitability language such as 'maximum safety,' 'production ready,' and claims of bounded losses in a real-money trading system. These assurances can mislead operators into overtrusting the bot and deploying it with live funds despite market, implementation, dependency, and exchange-side failure modes that can invalidate such guarantees.

Missing User Warnings

Medium
Confidence
95% confidence
Finding
The document explicitly instructs operators to start and enable an autonomous live-trading bot, but it does not provide a prominent warning that these actions can place real orders with real funds if production credentials are present. In the context of a self-described autonomous trading engine, omission of an explicit live-trading warning materially increases the chance of accidental financial loss by users who may treat the setup as routine service deployment.

Missing User Warnings

High
Confidence
98% confidence
Finding
This section places real market and OCO orders and persists trading state automatically, without any confirmation gate, dry-run default, or explicit acknowledgment that live funds are at risk. In the context of a self-learning autonomous Binance trader, this is highly dangerous because any logic error, manipulated signal, or compromised dependency can immediately trigger irreversible financial loss.

External Transmission

Medium
Category
Data Exfiltration
Content
endpoints_allowed:
        - "https://api.binance.com/api/v3/*"
        - "wss://stream.binance.com:9443/ws/*"
        - "https://api.telegram.org/bot*"
      requires_credentials: true
      uses_websocket: true
    security_level: "L3 - Financial Execution (Real Money)"
Confidence
78% confidence
Finding
https://api.telegram.org/

Credential Access

High
Category
Privilege Escalation
Content
ls /workspace/skills/crypto-executor/executor.py

# ✅ Already installed → just launch:
source /etc/crypto-executor/credentials.env
python3 /workspace/skills/crypto-executor/executor.py

# ❌ Not installed → full install (run once):
Confidence
89% confidence
Finding
credentials.env

Credential Access

High
Category
Privilege Escalation
Content
ls /workspace/skills/crypto-executor/executor.py

# ✅ Already installed → just launch:
source /etc/crypto-executor/credentials.env
python3 /workspace/skills/crypto-executor/executor.py

# ❌ Not installed → full install (run once):
Confidence
89% confidence
Finding
.env

Sudo/Root Execution

Medium
Category
Privilege Escalation
Content
systemctl status crypto-executor | grep "Main PID"

# Simulate crash
sudo kill -9 <PID>

# Wait 10 seconds
sleep 10
Confidence
90% confidence
Finding
sudo

Credential Access

High
Category
Privilege Escalation
Content
- ✅ Credentials not visible in `systemctl status` output
- ✅ File protected chmod 600 (root only)
- ✅ Not exposed in process list (`ps aux`)
- ✅ Shared with manual runs: `source /etc/crypto-executor/credentials.env`

---
Confidence
88% confidence
Finding
credentials.env

Session Persistence

Medium
Category
Rogue Agent
Content
### **Step 3: Enable Auto-Start**

```bash
sudo systemctl enable crypto-executor
# Why: creates a symlink so the bot starts automatically on every server reboot
```
Confidence
93% confidence
Finding
systemctl enable

Session Persistence

Medium
Category
Rogue Agent
Content
# Change: Description, MAX_POSITION_SIZE_PCT=8, DAILY_LOSS_LIMIT_PCT=1

sudo systemctl daemon-reload
sudo systemctl enable crypto-executor-conservative
sudo systemctl start crypto-executor-conservative
```
Confidence
90% confidence
Finding
systemctl enable

VirusTotal

64/64 vendors flagged this skill as clean.

View on VirusTotal