ClawHub

Trench

Security checks across malware telemetry and agentic risk

Overview

This is an instruction-only crypto trading skill that is not malicious, but it promotes high-risk automated Solana trading without clear confirmation, wallet, spending, or stop controls.

Review carefully before installing. Do not connect a wallet or let an agent place live trades unless a future implementation clearly documents wallet handling, per-trade approval, spending caps, slippage limits, retry behavior, dry-run support, cancellation controls, and the financial risks of meme-coin trading.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
  • Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
Findings (2)

Vague Triggers

Medium
Confidence
92% confidence
Finding
The skill description explicitly encourages invocation for broad, fast-moving meme-coin trading scenarios, which increases the chance an agent will use it in loosely related contexts without strong user confirmation or suitability checks. In a high-risk financial domain, overbroad routing guidance can lead to unintended trading actions, loss of funds, or misuse of privileged wallet capabilities.

Missing User Warnings

High
Confidence
96% confidence
Finding
The skill markets rapid trading, sniping, auto-execution, and position management for speculative meme coins without prominent warnings about financial risk, irreversible blockchain transactions, frontrunning/slippage risk, scams, or wallet-loss scenarios. Because the skill context is automated on-chain trading, the absence of explicit risk disclosures and confirmation requirements makes accidental or unsafe execution materially more dangerous.

VirusTotal

65/65 vendors flagged this skill as clean.

View on VirusTotal