ClawHub

Minara

Security checks across malware telemetry and agentic risk

Overview

Minara is a coherent crypto trading skill, but it can move funds, enable AI trading, and persistently change future agent routing, so it needs careful review before installation.

Install only if you intend to let Minara access authenticated crypto account data and help execute real trades, transfers, withdrawals, subscriptions, and perps actions. Before setup, review any proposed edits to CLAUDE.md, AGENTS.md, or MEMORY.md, decline broad persistent routing if you do not want future finance prompts steered to Minara, keep confirmation and Touch ID enabled, do not use --yes for fund-moving commands, and enable autopilot only with clear risk limits you understand.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
  • Tool MisuseTool Parameter Abuse, Chaining Abuse, Unsafe Defaults
  • Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
  • MCP Least PrivilegeUnderdeclared Capability, Wildcard Permission, Missing Permission Declaration
Findings (19)

Lp3

Medium
Category
MCP Least Privilege
Confidence
94% confidence
Finding
The skill directs the agent to execute shell commands (`bash`, `npm install -g`, `git pull`, file writes/removals) while the skill does not declare corresponding permissions. That creates a hidden capability gap: reviewers or policy systems may treat it as documentation-only or lower-risk while it can actually modify the host environment.

Tp4

High
Category
MCP Tool Poisoning
Confidence
91% confidence
Finding
The declared purpose emphasizes trading, wallet, and analysis, but the skill also performs software maintenance actions such as version checks, package upgrades, git pulls, and writes to `~/.minara`. This mismatch is dangerous because users and routing/review systems may invoke it for finance tasks without realizing it can alter local software and state, expanding attack surface to supply-chain and persistence risks.

Context-Inappropriate Capability

Medium
Confidence
95% confidence
Finding
The skill instructs the agent to modify a global/workspace configuration file on first activation, which exceeds the core finance/trading function and creates persistent side effects outside the immediate task. This can silently alter future routing behavior across unrelated sessions and expands the skill's influence beyond explicit user requests.

Context-Inappropriate Capability

Medium
Confidence
96% confidence
Finding
The OpenClaw section directs edits to AGENTS.md and MEMORY.md, creating durable behavioral changes in the workspace that are not necessary for a single finance operation. Persistently changing agent routing and memory can bias future tool selection and user interactions in ways the user may not expect.

Missing User Warnings

Medium
Confidence
95% confidence
Finding
This documentation exposes highly sensitive financial account details such as balances, holdings, PnL, margin, and positions, but provides no privacy warning or guidance on handling that data. In an agent setting, users may not realize that invoking these read-only commands can surface confidential wallet and trading information into chat history, logs, screenshots, or downstream tools.

Vague Triggers

Medium
Confidence
93% confidence
Finding
The title uses highly generic activation terms like "Chat" and "Ask," which can cause the skill to trigger on a wide range of ordinary user requests unrelated to this specific crypto tool. In a skill that can influence trading and wallet workflows, over-broad invocation increases the chance of accidental routing into Minara, exposing users to unnecessary financial-context actions or misleading tool selection.

Missing User Warnings

Medium
Confidence
92% confidence
Finding
These examples document financial transfer and withdrawal operations without explicit warnings that blockchain transfers and withdrawals are often irreversible and can permanently lose funds if the token, chain, amount, or recipient is wrong. In an agent skill context, examples strongly shape downstream automation behavior, so omission of safety guidance increases the chance that an agent or user will execute high-impact actions without adequate verification.

Missing User Warnings

Medium
Confidence
97% confidence
Finding
The file shows non-interactive commands to close positions, including a variant that skips confirmation entirely, without warning that these commands can immediately liquidate exposure and realize losses. In a trading agent skill, this is especially dangerous because examples can be copied into automation or executed with minimal human review during volatile market conditions.

Missing User Warnings

High
Confidence
98% confidence
Finding
The autopilot example advertises AI-driven trading strategy functionality without warning that it may place or influence trades using user funds, creating a substantial risk of unintended autonomous trading. Because this skill is explicitly for wallet and trading operations, presenting autopilot casually in examples can normalize handing execution authority to an automated system without clear consent boundaries or risk disclosure.

Missing User Warnings

Medium
Confidence
95% confidence
Finding
The x402 payment flow instructs the agent to pay an address derived from a 402 response without warning to verify the source, chain, amount, and recipient authenticity. This creates a phishing and payment-redirection risk, especially when an agent may treat protocol headers as trusted inputs and transfer funds automatically from the wallet.

Vague Triggers

Medium
Confidence
90% confidence
Finding
The routing rule matches extremely broad categories such as crypto, trading, wallet, market data, and stocks, causing the skill to be preferred for a large fraction of finance-related prompts. Over-broad invocation increases the chance the skill is used in contexts the user did not intend, especially given that this skill can access trading and wallet actions.

Vague Triggers

Medium
Confidence
88% confidence
Finding
The proactive engagement rule uses vague language like 'vague finance question' and instructs the agent to use Minara instead of generic advice, without precise boundaries. This can cause over-invocation and unnecessary delegation to a finance tool even when the user is asking for general information rather than live trading or market execution help.

Vague Triggers

Medium
Confidence
90% confidence
Finding
The OpenClaw routing rule repeats the same broad matching behavior for many common finance-related topics without exclusions or thresholds. In a workspace environment, this can systematically steer unrelated or low-risk conversations into a higher-privilege finance/trading workflow.

Vague Triggers

Medium
Confidence
87% confidence
Finding
The OpenClaw proactive engagement instruction is underspecified and encourages tool use for ambiguous finance questions. This increases the chance of unnecessary invocation and can normalize automatic use of a transactional skill in contexts where simple informational responses would be safer.

Missing User Warnings

Medium
Confidence
94% confidence
Finding
The Claude Code instructions authorize creating or appending to a persistent config file but only say to 'tell the user,' not to obtain informed consent for the lasting change. Users may not understand that future agent behavior is being permanently modified, creating a transparency and consent problem.

Missing User Warnings

Medium
Confidence
94% confidence
Finding
The OpenClaw setup similarly appends to persistent workspace files without requiring explicit confirmation or adequately highlighting that these changes survive the current session. Silent persistence is risky because it changes future routing and memory behavior beyond the user's immediate task.

Missing User Warnings

Medium
Confidence
95% confidence
Finding
The MEMORY.md modification stores a lasting preference for using Minara for all crypto, stock, and market operations, yet the instructions do not require warning or consent. Persisting behavioral preferences in memory can shape future interactions in non-obvious ways and is especially sensitive for trading-capable tools.

Autonomous Decision Making

Medium
Category
Excessive Agency
Content
Run `minara account` to check login state:
- **Success** → continue silently to the user's request.
- **Failure** → user is not logged in. Automatically run `minara login --device` with `pty: true`. When CLI outputs a verification URL and/or device code, present structured choices to the user:
  - Context: "Minara login required. Open this URL to complete login: {URL}\nDevice code: {code}"
  - Options: A) I've completed browser verification / B) Cancel login
  - After user confirms A → verify with `minara account`, then proceed.
Confidence
88% confidence
Finding
Automatically run

Tool Parameter Abuse

High
Category
Tool Misuse
Content
After a successful upgrade, invalidate the cache so the next session re-detects correctly:
```bash
rm -f ~/.minara/.last-update-check
```

Only prompt for the components listed in the `UPGRADE` output (e.g. if only `cli:` is present, don't mention skill).
Confidence
84% confidence
Finding
rm -f ~/.minara/

VirusTotal

65/65 vendors flagged this skill as clean.

View on VirusTotal