ClawHub

Zerodha

Security checks across malware telemetry and agentic risk

Overview

This skill is a coherent Zerodha command router, but it deserves Review because it combines brokerage trading authority and credential handling with default pipe-to-shell installers from an unpinned GitHub branch.

Install only if you trust the Zerodha CLI source and preferably review or pin the installer before running it. Treat API keys, API secrets, request tokens, refresh tokens, and generated trading commands as sensitive. Review every generated order command, especially side, symbol, quantity, price, product, and order type, before execution.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
Findings (6)

Context-Inappropriate Capability

Medium
Confidence
98% confidence
Finding
The skill embeds bootstrap commands that fetch and immediately execute remote scripts via shell or PowerShell piping. This turns a command-routing skill into a code-execution delivery path and creates supply-chain risk if the remote content, hosting account, or transport path is compromised.

Missing User Warnings

Medium
Confidence
99% confidence
Finding
These installer examples execute untrusted remote content directly without warning the user that they are running fetched code in a shell or PowerShell context. Because the skill is designed to emit runnable commands, downstream agents or users may execute them verbatim, amplifying the risk of arbitrary code execution.

Missing User Warnings

Medium
Confidence
95% confidence
Finding
The login flow instructs collection and routing of API keys, API secrets, request tokens, and callback details without any warning about sensitive credential handling. In an agent setting, this can cause users to paste secrets into chat or logs, exposing credentials to unintended storage, operators, or downstream systems.

External Script Fetching

Low
Category
Supply Chain
Content
Install commands:

- Linux/macOS (`curl`): `curl -fsSL https://raw.githubusercontent.com/jatinbansal1998/zerodha-kite-cli/main/scripts/install.sh | sh`
- Linux/macOS (`wget`): `wget -qO- https://raw.githubusercontent.com/jatinbansal1998/zerodha-kite-cli/main/scripts/install.sh | sh`
- Windows PowerShell: `irm https://raw.githubusercontent.com/jatinbansal1998/zerodha-kite-cli/main/scripts/install.ps1 | iex`
- Windows CMD: `powershell -NoProfile -ExecutionPolicy Bypass -Command "irm https://raw.githubusercontent.com/jatinbansal1998/zerodha-kite-cli/main/scripts/install.ps1 | iex"`
Confidence
99% confidence
Finding
curl -fsSL https://raw.githubusercontent.com/jatinbansal1998/zerodha-kite-cli/main/scripts/install.sh | sh

External Script Fetching

Low
Category
Supply Chain
Content
# Intent to Command Defaults

- If user asks generic "install zerodha cli":
  - Linux/macOS: `curl -fsSL https://raw.githubusercontent.com/jatinbansal1998/zerodha-kite-cli/main/scripts/install.sh | sh`
  - Windows: `irm https://raw.githubusercontent.com/jatinbansal1998/zerodha-kite-cli/main/scripts/install.ps1 | iex`
- If user asks generic "login" and no auth fields are provided:
  - ask for `api_key` and `api_secret` first (profile defaults to `default` unless specified)
Confidence
98% confidence
Finding
curl -fsSL https://raw.githubusercontent.com/jatinbansal1998/zerodha-kite-cli/main/scripts/install.sh | sh

External Script Fetching

Low
Category
Supply Chain
Content
Install commands:

- Linux/macOS (`curl`): `curl -fsSL https://raw.githubusercontent.com/jatinbansal1998/zerodha-kite-cli/main/scripts/install.sh | sh`
- Linux/macOS (`wget`): `wget -qO- https://raw.githubusercontent.com/jatinbansal1998/zerodha-kite-cli/main/scripts/install.sh | sh`
- Windows PowerShell: `irm https://raw.githubusercontent.com/jatinbansal1998/zerodha-kite-cli/main/scripts/install.ps1 | iex`
- Windows CMD: `powershell -NoProfile -ExecutionPolicy Bypass -Command "irm https://raw.githubusercontent.com/jatinbansal1998/zerodha-kite-cli/main/scripts/install.ps1 | iex"`
Confidence
99% confidence
Finding
wget -qO- https://raw.githubusercontent.com/jatinbansal1998/zerodha-kite-cli/main/scripts/install.sh | sh

VirusTotal

63/63 vendors flagged this skill as clean.

View on VirusTotal