ClawHub

Superior Trade (Deprecated)

Security checks across malware telemetry and agentic risk

Overview

This deprecated trading skill is not malware, but it still contains live real-money trading workflows despite being presented as a moved/deprecated package.

Review carefully before installing. Treat this as a live-trading skill, not just a deprecation notice. Only install it if you intend to give an agent API-key authority over Superior Trade backtests and deployments, understand that live deployments can trade real funds, and can monitor, stop, or delete deployments yourself. Prefer the maintained successor package referenced by the artifact unless you specifically need this deprecated version.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
  • MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
Findings (3)

Description-Behavior Mismatch

High
Confidence
99% confidence
Finding
The manifest presents the skill as merely deprecated and redirects users elsewhere, but the body still exposes full authenticated backtesting, deployment, and live-trading instructions. This mismatch can mislead reviewers, users, or policy gates into underestimating the real capability and risk of the skill, especially because the documented API key can initiate real-money trading actions.

Context-Inappropriate Capability

High
Confidence
97% confidence
Finding
A deprecated-only description does not justify exposing live trading authority, especially when the documented credential scope permits starting real trading deployments. This creates a dangerous packaging discrepancy where a seemingly harmless redirect skill actually grants high-risk financial operations.

Context-Inappropriate Capability

High
Confidence
98% confidence
Finding
The file contains explicit instructions to create credentials, create deployments, and start live trading with real funds while the package branding says it is deprecated and moved. That inconsistency increases the chance that users or automated systems trust and enable the skill without appreciating that it can perform financially consequential actions.

VirusTotal

52/52 vendors flagged this skill as clean.

View on VirusTotal