Clawhub Skills

Security checks across malware telemetry and agentic risk

Overview

This is a coherent token-trading skill, but it should be reviewed because it gives an agent real buy and sell authority without explicit per-trade approval guidance.

Review before installing. Only use this skill if you trust the K-Trendz API operator and are comfortable giving an agent token-trading authority. Prefer price checks by default, and require explicit approval, budget caps, slippage limits, loss limits, and an allowed-token list before any buy or sell action.

SkillSpector

By NVIDIA

Vulnerability Patterns

Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep

Findings (1)

Missing User Warnings

Medium

Confidence: 94% confidence
Finding: The skill documents direct buy and sell operations for financial tokens, including concrete endpoints and example trading logic, but does not provide an explicit warning that trades can lose money, may be irreversible once submitted on-chain, and can incur slippage and fees. In an agent skill context, this omission increases the chance that an autonomous or semi-autonomous agent executes speculative trades without adequate user awareness or consent.

VirusTotal

50/50 vendors flagged this skill as clean.

View on VirusTotal