ClawHub

Prediction Stack Setup

Security checks across malware telemetry and agentic risk

Overview

This setup skill is coherent with its trading-stack purpose, but it deserves review because it stores trading/API secrets, enables persistent automated monitoring and phone alerts, and includes troubleshooting steps that can expose secrets.

Install only if you want persistent automated prediction-market monitoring and iMessage alerts. Before running it, review the cron and heartbeat schedules, use revocable least-privilege API keys, secure ~/.openclaw and private-key file permissions, confirm the iMessage recipient, avoid sharing raw troubleshooting output, and do not run diagnostics that print full config or live secrets.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
  • Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
Findings (6)

Description-Behavior Mismatch

Medium
Confidence
84% confidence
Finding
The script reaches out to an additional third-party service, Polymarket, that is not disclosed in the module docstring's validation scope and is not described in the skill metadata. Unexpected outbound network calls increase supply-chain and privacy risk because users may run the validator without realizing it contacts extra services.

Missing User Warnings

Medium
Confidence
88% confidence
Finding
The README explicitly promotes configuring API keys, scheduled automation, and routing alerts to iMessage via BlueBubbles, but it does not warn users about secure credential storage, least-privilege handling, or the fact that alerts may traverse external services and devices. In a setup wizard that centralizes secrets in a unified config and enables automated delivery, this omission increases the chance of users exposing sensitive tokens or unintentionally sending trading-related data to third-party systems.

Missing User Warnings

Medium
Confidence
91% confidence
Finding
The skill instructs users to create recurring cron jobs and proactive messaging behavior, which introduces ongoing autonomous actions after a one-time setup. Without a strong upfront warning about persistence, frequency, external messaging, and possible costs, users may unknowingly enable continuous monitoring and outbound notifications.

Missing User Warnings

Medium
Confidence
94% confidence
Finding
Heartbeat configuration enables continuous background checks and possible outbound iMessage sends, extending the skill's behavior beyond the immediate session. This increases privacy and operational risk because the system can monitor state and message users repeatedly without a sufficiently prominent consent boundary.

Missing User Warnings

Medium
Confidence
95% confidence
Finding
The guide recommends loading and printing the full parsed configuration with `json.dumps(config, indent=2)`, which is likely to reveal API keys, private key paths, proxy settings, and other sensitive values directly in terminal output or shell history capture. In a setup/troubleshooting context this creates an avoidable secret-exposure risk, especially if users paste output into bug reports, chats, or shared logs.

Missing User Warnings

Medium
Confidence
88% confidence
Finding
The manual Anthropic test performs a real authenticated API call using the user's key and prints the model response, but the guide does not warn that this transmits data to a third party, may incur billing, and can expose key-backed activity during troubleshooting. Even though the payload is trivial, operationally it encourages live secret use and external transmission without safety context.

VirusTotal

66/66 vendors flagged this skill as clean.

View on VirusTotal