ClawHub

Weex

Security checks across malware telemetry and agentic risk

Overview

This WEEX trading skill is not clearly malicious, but it exposes live financial and fund-transfer capabilities that go beyond the stated trading assistant purpose.

Review carefully before installing. Use read-only or tightly scoped WEEX API keys where possible, disable withdrawal permissions, avoid storing credentials globally if you do not need persistent access, prefer dry-run previews, and do not use the generic endpoint caller for affiliate, rebate, internal withdrawal, cancel-all, close-all, leverage, or margin changes unless you explicitly intend that exact action.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
  • Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
  • MCP Least PrivilegeUnderdeclared Capability, Wildcard Permission, Missing Permission Declaration
  • MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
Findings (15)

Lp3

Medium
Category
MCP Least Privilege
Confidence
94% confidence
Finding
The skill advertises executable capabilities that include environment access, filesystem access, and network use, but the manifest does not declare permissions or boundaries for those actions. In a trading skill, this matters because the tool handles API credentials and can perform live network operations, so undeclared capabilities reduce transparency and weaken review and containment.

Tp4

High
Category
MCP Tool Poisoning
Confidence
92% confidence
Finding
The documented purpose frames the skill as a natural-language trading assistant, but the file also discloses broader behavior: regenerating definitions from live docs and exposing generic low-level endpoint invocation. That mismatch is dangerous because it expands the operational surface beyond what a user may expect, potentially enabling unreviewed API actions or network scraping behaviors under the cover of a narrower description.

Description-Behavior Mismatch

Medium
Confidence
91% confidence
Finding
The file defines authenticated account-level mutation endpoints such as leverage, margin mode, isolated margin, and auto-append margin changes, which go beyond the manifest’s narrower description of order placement/cancellation/query and data retrieval. In an agent skill, this scope mismatch is dangerous because users or downstream policy may assume the skill only manages orders, while it can also alter liquidation risk and account configuration.

Description-Behavior Mismatch

Medium
Confidence
96% confidence
Finding
The skill exposes bulk destructive endpoints including cancel-all and close-positions actions that can affect an entire account or all symbols when parameters are omitted. This is dangerous because a natural-language trading agent could trigger mass liquidation-like behavior or wipe protective/open orders through ambiguity, misuse, or prompt injection, causing immediate financial loss.

Description-Behavior Mismatch

High
Confidence
98% confidence
Finding
The file defines authenticated affiliate/rebate and internal transfer functionality that materially exceeds the stated skill purpose of spot/futures trading, order management, market data, and account retrieval. This unnecessary expansion of privileged capabilities increases attack surface and enables access to sensitive third-party affiliate data and fund-movement operations that are unrelated to ordinary trading workflows.

Context-Inappropriate Capability

Critical
Confidence
99% confidence
Finding
The internalWithdrawal endpoint allows authenticated transfer of assets to another user ID, which is a direct fund-movement capability unrelated to the declared trading/order-management purpose. In an agent context, exposing transfer functionality without a narrowly justified use case, explicit user consent, and strong guardrails creates a severe risk of unauthorized asset movement or prompt-induced abuse.

Context-Inappropriate Capability

High
Confidence
97% confidence
Finding
The affiliate/referral endpoints expose sensitive business and user-related data such as invited user UIDs, KYC status, deposits, withdrawals, commissions, and trading activity, none of which is justified by a trading-focused skill description. In this context, the mismatch is dangerous because the agent may be granted broad authenticated access to data unrelated to the user’s intended trading tasks, enabling privacy violations and over-privileged data harvesting.

Description-Behavior Mismatch

Medium
Confidence
95% confidence
Finding
The documented API surface materially exceeds the stated skill purpose of spot/futures trading and account-data retrieval by including affiliate/referral administration and money-movement endpoints. This is dangerous because an agent or integrator may grant broader privileges than users expect, enabling access to third-party referral data and transfer functionality that is unrelated to normal trading workflows.

Context-Inappropriate Capability

High
Confidence
99% confidence
Finding
This file documents an authenticated internal withdrawal endpoint that can transfer funds to another user ID, which is a direct asset-movement capability outside the stated scope of trading/account lookup. If exposed through an agent without strong authorization, explicit confirmation, and narrow credential scoping, it could be abused to exfiltrate affiliate funds or perform unauthorized transfers.

Context-Inappropriate Capability

Medium
Confidence
93% confidence
Finding
The affiliate/referral endpoints expose non-core business intelligence and user-linked financial activity such as referral status, deposits, trades, commissions, and assets. This expands the data-access envelope beyond trading operations and can enable privacy violations, partner-data scraping, or misuse of sensitive affiliate analytics if the skill is granted broad authenticated access.

Missing User Warnings

Medium
Confidence
93% confidence
Finding
The README encourages natural-language order placement and cancellation without a prominent warning that these actions can trigger real trades with financial consequences. In an agent-driven workflow, ambiguous prompts or user misunderstanding could lead to unintended execution, position changes, or loss of funds.

Missing User Warnings

Medium
Confidence
95% confidence
Finding
The safety section states that the default flow is direct live execution and only requires a technical flag for mutating requests, but it does not present a clear user warning about real financial loss, irreversible order placement, or account impact. In the context of an automated trading skill, this substantially increases the chance of accidental live trades from misunderstanding, prompt ambiguity, or unsafe agent behavior.

Missing User Warnings

Medium
Confidence
94% confidence
Finding
Destructive trading endpoints are present without any visible warning or safeguard indicating that omitting parameters can cancel all open/conditional orders or close all positions. In a high-risk financial context, the absence of clear warnings and consent boundaries materially increases the chance of catastrophic user error or malicious triggering via adversarial prompts.

Missing User Warnings

Medium
Confidence
95% confidence
Finding
This documentation exposes numerous authenticated, account-impacting trading actions such as placing orders, cancelling all orders, changing leverage, adjusting margin, and closing all positions, including dangerous parameter behaviors like omitting `symbol` to affect all orders or positions. In the context of an agent skill that supports natural-language trading, the absence of prominent safety warnings, confirmation requirements, and least-privilege guidance materially increases the risk of accidental or manipulated destructive actions being carried out against a real account.

Missing User Warnings

Medium
Confidence
88% confidence
Finding
The documentation presents order placement and cancellation endpoints as ordinary operations without prominent warnings that they are state-changing, irreversible market actions with financial consequences. In an agent context, missing safety framing increases the chance of accidental execution, especially when natural-language requests are ambiguous or when tools are auto-selected.

VirusTotal

VirusTotal engine telemetry is currently stale for this artifact.

View on VirusTotal