ClawHub

Chainup Spot Trading

Security checks across malware telemetry and agentic risk

Overview

This is a coherent ChainUp trading skill, but it can use API keys for real trades/transfers and includes a documented confirmation bypass.

Install only if you intend to let an agent use ChainUp/OpenAPI V2 credentials for account queries and live trading. Use least-privilege API keys, avoid passing secrets on the command line, verify the base URL and credential source, and do not allow --no-confirm-gate on live accounts unless you deliberately accept the risk.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Tool MisuseTool Parameter Abuse, Chaining Abuse, Unsafe Defaults
  • Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
  • MCP Least PrivilegeUnderdeclared Capability, Wildcard Permission, Missing Permission Declaration
  • MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
Findings (7)

Lp3

Medium
Category
MCP Least Privilege
Confidence
83% confidence
Finding
The skill clearly uses sensitive capabilities—network access, file reads, and environment/credential access—yet does not declare permissions. That weakens reviewability and consent boundaries because operators cannot easily see that the skill may read local credential files and make authenticated trading requests. In a trading context, hidden capability breadth materially increases risk.

Tp4

High
Category
MCP Tool Poisoning
Confidence
89% confidence
Finding
The description understates the operational scope of the skill. Beyond spot/margin trading, it can transfer assets, read account balances, read credentials from a local file, and perform parameter normalization logic that changes request payloads. That mismatch can mislead users or reviewers into granting trust to a skill with broader fund-moving and credential-handling behavior than advertised.

Vague Triggers

Medium
Confidence
74% confidence
Finding
The trigger language includes ambiguous wording such as 'or similar ... scenarios,' which can cause the skill to activate outside narrowly intended contexts. In a financial trading skill, unintended activation is risky because it may steer the agent into authenticated exchange operations or credential usage when the user only asked a loosely related question.

Missing User Warnings

Medium
Confidence
93% confidence
Finding
The documentation includes live authenticated curl examples for account and trading endpoints, including a POST market sell order, without any safety warning that these requests can execute against real funds and expose API credentials in terminal history, process listings, logs, or copied transcripts. In an agent skill context, examples are often copied verbatim, so omission of clear guardrails materially increases the chance of accidental live trades or credential leakage.

Missing User Warnings

Medium
Confidence
95% confidence
Finding
The authentication guidance tells users to handle API key and secret material but does not warn about protecting secrets from shell history, process arguments, CI logs, screenshots, or pasted transcripts. Because this file is specifically an authentication reference for a trading API, missing credential-handling guidance can directly lead to account compromise if users follow the examples unsafely.

Ssd 4

Medium
Confidence
93% confidence
Finding
The skill establishes a confirmation gate for balance-changing actions, then explicitly provides a bypass path via `--no-confirm-gate`. Normalizing a bypass mechanism for live trading, cancellation, and transfer actions undermines the main safety control and can lead to accidental or socially engineered execution of irreversible financial operations.

Tool Parameter Abuse

High
Category
Tool Misuse
Content
- Any action that affects balances, even if it may not fill immediately, is still treated as a live balance-changing action. This includes but is not limited to limit orders, batch orders, cancellations, transfers, margin orders, and margin cancellations.
- Query actions can execute directly, including but not limited to balance queries, order queries, trade history queries, market data queries, and open-order queries.
- Precision prechecks are mandatory before order confirmation so the script does not send prices or quantities that exceed symbol precision to the live gateway.
- If the user explicitly requests to bypass confirmation, `--no-confirm-gate` may be used. This is high risk and should only be used with explicit user authorization.
- Never print full credentials in the terminal or reply. If the script throws an error that could expose secrets, summarize the failure rather than copying the raw sensitive output.

## Examples
Confidence
95% confidence
Finding
--no-confirm

VirusTotal

64/64 vendors flagged this skill as clean.

View on VirusTotal