Back to skill

Security audit

Clawhub Skills

Security checks across malware telemetry and agentic risk

Overview

The skill appears purpose-built for token trading, but its buy and sell actions can affect funds without enough visible consent and risk guardrails.

Review this skill before installing. Only use it if you understand that buy and sell calls may execute real token trades and can cause financial loss; prefer explicit per-trade approval, spending limits, and price/risk checks before allowing an agent to call the trading tools.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
  • Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
Findings (1)

Missing User Warnings

Medium
Confidence
96% confidence
Finding
The skill exposes buy and sell endpoints that execute real token trades and directly affect funds, but it does not prominently warn the user or calling agent that these actions are financially consequential. In an autonomous-agent context, this omission increases the risk of accidental or uninformed execution of trades based on ambiguous prompts or strategy text, especially because the document strongly frames the activity as a trading opportunity and provides ready-to-use transaction examples.

VirusTotal

50/50 vendors flagged this skill as clean.

View on VirusTotal

Static analysis

No suspicious patterns detected.