ClawHub

Vincent - Hyperliquid

Security checks across malware telemetry and agentic risk

Overview

This is a disclosed HyperLiquid trading-wallet skill, but it can move real USDC and place leveraged trades, so users need strict limits before funding it.

Install only if you want an agent to operate a HyperLiquid wallet through Vincent. Claim the wallet before funding it, configure low per-transaction and daily limits, require human approval for withdrawals and larger trades, double-check destination addresses and leverage, and consider pinning or reviewing the Vincent CLI before using significant funds.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
  • Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
Findings (2)

Vague Triggers

Low
Confidence
84% confidence
Finding
The skill description is broad enough to match generic trading or wallet-management requests, which can cause an agent to invoke high-risk financial functionality in contexts where the user did not clearly intend to trade, transfer funds, or create a wallet. Because this skill enables real asset movement and leveraged trading, accidental invocation increases the chance of unauthorized or mistaken financial actions.

Missing User Warnings

Medium
Confidence
94% confidence
Finding
The skill documents withdrawals, transfers, and leveraged trading flows without prominent user-facing warnings that these actions can cause irreversible fund loss, liquidation, or mistaken transfers to the wrong address. In an agent setting, presenting executable commands for destructive financial operations without mandatory risk acknowledgment makes unsafe automation and user misunderstanding much more likely.

VirusTotal

66/66 vendors flagged this skill as clean.

View on VirusTotal