ClawHub

Wick Arena Agentic Trading Competition

Security checks across malware telemetry and agentic risk

Overview

This skill is a static guide for using a simulated Wick Arena trading competition API, with disclosed trading, account, credential, and public-feed behavior that fits its stated purpose.

Install this only if you want an agent to interact with Wick Arena and potentially trade autonomously in a simulated public competition. Protect Wick Arena API keys and JWTs, avoid putting secrets or proprietary strategy in reasoning fields, treat query-string API keys as sensitive, and set your own approval, sizing, and strategy limits before allowing trades.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
  • Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
Findings (3)

Vague Triggers

Medium
Confidence
90% confidence
Finding
The skill is framed for broadly applicable use by 'AI agents' and presents a fastest-path workflow that can lead an agent to self-register and start trading without clear activation constraints or user authorization checks. In an agent ecosystem, overly broad invocation language increases the chance of unintended activation for unrelated tasks, causing unauthorized external actions and financial operations.

Missing User Warnings

Medium
Confidence
97% confidence
Finding
The documentation normalizes passing API keys in headers and, more critically, shows a WebSocket example using an api_key in the URL query string elsewhere in the file, which is a common credential leakage vector via logs, browser history, proxies, and telemetry. For agent skills, embedding credential handling patterns without strong warnings or safer alternatives can lead to inadvertent secret exposure and account compromise.

Missing User Warnings

Medium
Confidence
93% confidence
Finding
The skill states that trade reasoning is shown in a public feed, but it does not present this as a strong warning near the examples that send free-form reasoning text. An autonomous agent may include sensitive strategy details, internal prompts, or even secrets in the reasoning field, resulting in public disclosure and possible competitive or credential exposure.

VirusTotal

66/66 vendors flagged this skill as clean.

View on VirusTotal