Crypto Trading Bot (BTC/ETH or choose any)

Security checks across malware telemetry and agentic risk

Overview

This is advertised as a crypto trading bot, but the artifact also gives unrelated OpenClaw host and device administration instructions, including approving the latest device.

Install only if you intend this skill to cover OpenClaw administration as well as crypto trading. Before use, remove or ignore the unrelated Healthcheck, Skill Creator, and Node Connect sections, and do not allow any device approval command unless you have verified the exact device identity and explicitly requested that action.

SkillSpector

By NVIDIA

Vulnerability Patterns

Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code

Findings (1)

Vague Triggers

Medium

Confidence: 82% confidence
Finding: The manifest-style trigger text for the crypto_trading_bot skill is broad enough that ordinary requests about analyzing BTC/ETH or turning ideas into rules could invoke it unexpectedly. Over-broad invocation criteria increase the chance of unintended activation, which can route users into higher-risk financial automation behavior without clear confirmation or scope checks.

VirusTotal

39/39 vendors flagged this skill as clean.

View on VirusTotal