ClawHub

Solana Funding Arb Cn

Security checks across malware telemetry and agentic risk

Overview

This crypto trading skill discloses some live-trading behavior, but it can use wallet keys, place automated trades, run on cron, and make trading decisions from unsafe mock/fallback data.

Install only if you intentionally want an automated crypto trading bot. Use dry-run mode first, do not provide a wallet/private key unless you accept the risk of automated fund movement, avoid cron/live mode until you have reviewed the code, and treat the advertised returns and Ultra Safe wording as hypothetical rather than guaranteed.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
  • Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
  • MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
Findings (37)

Description-Behavior Mismatch

Medium
Confidence
96% confidence
Finding
The package metadata explicitly describes the skill as a 'scanner + auto-trader', which materially expands its operational scope beyond passive monitoring in the skill description. In an agent-skill context, this mismatch is dangerous because users or orchestrators may invoke a package believing it only analyzes funding rates, while the packaged capability includes trade execution against financial accounts.

Description-Behavior Mismatch

Medium
Confidence
97% confidence
Finding
The npm scripts expose direct execution paths for live trading, scan-only trading, status inspection, and dry-run modes, despite the skill metadata emphasizing monitoring and opportunity discovery. This creates a clear capability mismatch that can lead to unintended invocation of market-moving or fund-risking actions by an automated agent or user who expected read-only behavior.

Description-Behavior Mismatch

High
Confidence
98% confidence
Finding
The module behavior materially differs from the stated skill purpose: the manifest frames the skill as funding-rate arbitrage monitoring, but this file implements a cross-DEX spot arbitrage engine with wallet-backed transaction execution. In an agent/skill ecosystem, this kind of capability mismatch is dangerous because users or orchestrators may grant permissions or invoke the skill under false assumptions, enabling unintended live trading with real funds.

Description-Behavior Mismatch

High
Confidence
99% confidence
Finding
This code does more than monitor and discover opportunities: it automatically selects the best opportunity and calls executeArbitrage, which can submit signed on-chain transactions. Because the skill metadata suggests monitoring/discovery only, this hidden execution capability increases the risk of unauthorized or unexpected fund movement when integrated into an automated agent workflow.

Intent-Code Divergence

Medium
Confidence
96% confidence
Finding
The comment suggests atomic execution, but the implementation submits the buy leg first and the sell leg afterward, explicitly acknowledging the possibility that the second leg can fail. This exposes the wallet to one-sided market risk, inventory exposure, and losses from slippage or price movement, especially in an automated trading context handling real assets.

Description-Behavior Mismatch

Medium
Confidence
95% confidence
Finding
The dashboard repeatedly represents that connecting a wallet enables 'live trading' and offers an 'Execute Trade' action, but the execution path is only a placeholder that shows a 'Coming Soon' alert. In a financial trading context, this is dangerous because users may make risk decisions based on false assumptions about automation or execution state, leading to financial loss or unmanaged exposure.

Intent-Code Divergence

Medium
Confidence
97% confidence
Finding
The UI specifically tells users that wallet connection enables live trading, but the only execute flow is a no-op stub. This is a deceptive security and product-state issue in a high-risk financial interface because users may connect wallets and trust the system to place or manage trades when it does not.

Description-Behavior Mismatch

Medium
Confidence
89% confidence
Finding
The file does more than monitoring or price discovery: it constructs a fully executable Raydium swap transaction from remote API responses. In the context of a skill described as funding-rate monitoring/arbitrage discovery, this meaningfully expands capability into trade execution, which increases risk of unintended or opaque on-chain actions if invoked by an agent or user who expects read-only behavior.

Context-Inappropriate Capability

Medium
Confidence
84% confidence
Finding
Generating spot swap transactions is not clearly justified by a funding-rate monitoring skill and creates a capability mismatch between declared purpose and actual behavior. That mismatch is dangerous because operators may grant this skill broader trust or automation than appropriate, enabling transaction generation where only analytics were expected.

Description-Behavior Mismatch

High
Confidence
98% confidence
Finding
This file does more than monitor funding rates: it can place and close live perpetual orders against an external API using the configured wallet identity. In a skill advertised as monitoring and arbitrage discovery, hidden trade-execution capability materially increases risk because a caller may trigger irreversible market actions without clearly understanding that the skill can trade.

Context-Inappropriate Capability

Medium
Confidence
95% confidence
Finding
The presence of position-trading functions is inconsistent with the stated purpose of monitoring and finding funding-rate arbitrage opportunities. This scope mismatch is dangerous because downstream agents or users may grant trust based on the declared read-only purpose while the code can actually open exposure and change account state.

Description-Behavior Mismatch

Medium
Confidence
95% confidence
Finding
On API failure, the integration silently returns fabricated funding-rate and price data that looks structurally valid to downstream trading logic. In a funding-rate arbitrage skill, this can cause the agent to identify nonexistent opportunities, make incorrect trading decisions, and act on false market conditions without any indication that the data is synthetic.

Description-Behavior Mismatch

Medium
Confidence
98% confidence
Finding
On API failure, the code silently substitutes fabricated market/funding data via getMockRates() instead of signaling failure or returning only verified live data. In a funding-rate arbitrage skill, this is dangerous because downstream logic may treat synthetic values as real market conditions and trigger false trading signals, mispricing, or automated position changes based on nonexistent opportunities.

Intent-Code Divergence

Low
Confidence
84% confidence
Finding
The parser claims to handle the real API response but always returns an empty list, causing the integration to ignore actual upstream data. In this trading-monitoring context, that can suppress detection of real opportunities or mask feed/integration failure, leading operators or automation to make decisions on incomplete state.

Description-Behavior Mismatch

Medium
Confidence
98% confidence
Finding
This integration advertises live funding-rate monitoring, but parseRates() always returns an empty array and the error path silently substitutes fabricated mock market data. In a trading/arbitrage skill, that can directly mislead downstream strategy logic into making financial decisions on false or nonexistent market signals, which is a security-relevant integrity failure.

Intent-Code Divergence

Medium
Confidence
94% confidence
Finding
The file header claims this is a Parcl integration for real estate perpetuals, but the implementation does not actually deliver real Parcl market data. In the context of a funding-rate arbitrage skill, this mismatch increases operational risk because users and other components may trust the module's outputs as authoritative when they are incomplete or fake.

Intent-Code Divergence

Medium
Confidence
98% confidence
Finding
This is a real integrity issue: `parseRates` ignores all API data and always returns an empty array, while the error path silently substitutes fabricated `getMockRates()` values. In a funding-rate arbitrage skill, presenting synthetic market/funding data as if it were live exchange data can directly mislead trading decisions, causing financial loss and masking outages or API/schema failures.

Description-Behavior Mismatch

High
Confidence
97% confidence
Finding
The file implements live trade execution and closing against Drift markets, which materially exceeds a monitoring-only capability and enables direct movement of user funds. In an agent skill context, exposing autonomous order placement is dangerous because a prompt, workflow bug, or abusive invocation could trigger real leveraged trades without meaningful human review.

Context-Inappropriate Capability

Medium
Confidence
93% confidence
Finding
The client loads a Solana private key from disk or an environment variable, giving the skill access to highly sensitive signing material. In an automation setting this expands blast radius substantially: any compromise of the process, logs, deployment environment, or dependent code can expose credentials and enable unauthorized trading or wallet abuse.

Vague Triggers

Medium
Confidence
89% confidence
Finding
The trigger keywords include broad terms like 'Solana', '套利', and 'funding rate', which are likely to match normal conversation and cause accidental skill activation. In this context, accidental activation is more dangerous because the skill is positioned to access trading workflows, secrets, automation, and potentially execute financial operations.

Missing User Warnings

Medium
Confidence
94% confidence
Finding
Labeling a leveraged trading strategy as 'Ultra Safe' and recommending it to beginners can materially mislead users about real downside risk. In a financial trading skill, this framing may cause inexperienced users to deploy capital under a false sense of security, especially since the cited results are based on simulations rather than guaranteed live performance.

Missing User Warnings

Medium
Confidence
95% confidence
Finding
The recommendation section explicitly encourages users to start trading and then scale exposure based on short-term observed performance, without clearly warning that losses can occur and that simulated backtests may be incomplete or overly optimistic. This is dangerous because it can nudge users toward increasing financial risk on the basis of marketing-style guidance rather than balanced risk disclosure.

Missing User Warnings

Medium
Confidence
97% confidence
Finding
The script presents simulation outputs as concrete yield comparisons and ends with prescriptive recommendations such as 'Best for beginners' and 'Start with Ultra Safe' without an explicit disclaimer that the figures are model-driven, hypothetical, and not financial advice. In a trading/arbitrage skill, this can mislead users into treating optimistic simulated returns as real-world expected performance, understating market, execution, liquidation, and model risk.

Vague Triggers

Medium
Confidence
90% confidence
Finding
The manifest and script naming use broad terms like 'auto-trader' and 'trade' without clear trigger constraints, authorization boundaries, or statements that distinguish simulation from live execution. In agent ecosystems, ambiguous action-oriented naming increases the chance that automation routes requests into unsafe operational paths without informed user consent.

Natural-Language Policy Violations

Medium
Confidence
93% confidence
Finding
The package promotes automatic trading but provides no visible opt-in, limitation, or safeguard language in metadata. For a finance-related skill, omission of consent and control boundaries materially increases the risk of unauthorized or accidental execution of trades, potentially causing direct financial loss.

VirusTotal

64/64 vendors flagged this skill as clean.

View on VirusTotal