ClawHub

Xxyy Trade

Security checks across malware telemetry and agentic risk

Overview

This appears to be a crypto trading skill, but it needs Review because broad activation phrases are paired with wallet-linked trading authority.

Install only if you intentionally want an XXYY crypto-trading assistant. Use a least-privilege or low-balance API key if possible, confirm every wallet lookup and trade before execution, and avoid relying on this skill for casual requests like feed or get started unless you intend to enter a trading workflow.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
  • Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
Findings (2)

Vague Triggers

Medium
Confidence
91% confidence
Finding
The skill advertises very broad trigger phrases such as "feed", "monitor chain", "query token", "get started", and wallet-related phrases, which can cause accidental activation for ordinary conversation. In this skill's context, accidental activation is more dangerous than usual because the same API key grants custodial trading capability, so unintended routing into this skill could expose wallet data or steer the session toward real-money actions.

Vague Triggers

Medium
Confidence
94% confidence
Finding
The activation phrases are unusually broad for a high-risk trading skill, including generic terms like "feed," "onboarding," and "get started." This can cause the skill to trigger in unrelated conversations and expose wallet balances, perform onboarding network calls, or steer users into trading workflows without clear intent, which is especially risky because the same API key enables real trades.

VirusTotal

65/65 vendors flagged this skill as clean.

View on VirusTotal