ClawHub
Back to skill

Security audit

HFT Paper Trader — Autonomous Crypto Framework

Security checks across malware telemetry and agentic risk

Overview

This is a paper-trading instruction skill whose Binance market-data use and local trading logs match its stated purpose, with some scope-setting users should handle carefully.

Install only if you want a paper-only crypto trading simulation. When invoking it, explicitly set symbols, time window, maximum trade count, and whether local files may be updated. Review or reset PORTFOLIO.json, LEDGER.csv, and lessons.md between runs, and do not connect real exchange credentials or enable live trading without a separate audit.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
  • Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
Findings (2)

Vague Triggers

Medium
Confidence
90% confidence
Finding
The invocation examples are broad, imperative natural-language triggers like 'trade all signals' and 'place a paper trade' without explicit limits, confirmation requirements, or exclusions. In an autonomous-agent context, this can cause unintended bulk actions, repeated execution, or operation on the wrong assets/state, especially because the skill is framed for high-frequency and autonomous trading workflows.

Missing User Warnings

Medium
Confidence
87% confidence
Finding
The skill describes persistent writes to PORTFOLIO.json, LEDGER.csv, and lessons.md but does not warn users that it will create and modify local state over time. For agentic use, silent persistence can leak sensitive trading history, corrupt existing files, or create unintended stateful behavior that later prompts trust, making downstream decisions harder to audit and control.

VirusTotal

63/63 vendors flagged this skill as clean.

View on VirusTotal