ClawHub

Clawback

Security checks across malware telemetry and agentic risk

Overview

ClawBack’s core purpose is disclosed, but it asks for brokerage credentials and can place unattended real-money trades with weak credential handling and persistence controls.

Install only if you intentionally want an automated trading bot with E*TRADE access. Start with sandbox credentials, avoid production keys until you have reviewed trade limits, remove or ignore debug auth scripts, protect ~/.clawback and the SQLite database, disable cron/systemd unless you explicitly want unattended trading, and assume stored tokens are not encrypted despite the documentation claim.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
  • Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
  • MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
Findings (50)

Intent-Code Divergence

Medium
Confidence
89% confidence
Finding
The documentation gives conflicting statements about where credentials are stored and whether setup uses .env files or JSON configuration. Ambiguous secret-handling guidance leads to accidental insecure storage, operator mistakes, and difficulty auditing where broker credentials and tokens actually reside.

Intent-Code Divergence

Medium
Confidence
96% confidence
Finding
The setup flow explicitly writes broker API secrets into ~/.clawback/config.json, while the security section claims environment-variable-based configuration. This contradiction can mislead users into believing secrets are handled more safely than they are, increasing the risk of plaintext secret exposure through backups, logs, or permissive file permissions.

Intent-Code Divergence

Low
Confidence
84% confidence
Finding
The documentation states tokens are encrypted while also documenting a plain JSON token file path, creating a misleading security claim. Even if not directly exploitable by itself, this can cause unsafe operational assumptions about the confidentiality of long-lived broker access tokens.

Context-Inappropriate Capability

High
Confidence
98% confidence
Finding
The script prints broker authentication material, including API key prefix, request token, and request secret, directly to stdout. In a trading skill, these values can be captured by shell history, terminal logging, CI logs, remote support sessions, or shared consoles, enabling session hijacking or unauthorized broker access.

Context-Inappropriate Capability

Medium
Confidence
94% confidence
Finding
The setup flow reads a separate tool's configuration file from ~/.openclaw and reveals part of the Telegram bot token to stdout. Even partial secret disclosure and cross-tool secret access are unnecessary for a congressional-trade bot CLI, expand the trust boundary, and can leak sensitive data into terminal logs, screenshots, or shell history capture tools.

Context-Inappropriate Capability

Medium
Confidence
78% confidence
Finding
The cleanup routine recursively deletes JSON files from configured data and backup directories with no path validation, sandboxing, or safety checks. If those directory settings are misconfigured or attacker-influenced, the function could remove unintended files and cause data loss beyond the skill's expected operational scope.

Description-Behavior Mismatch

Medium
Confidence
97% confidence
Finding
The skill claims to mirror official congressional disclosures, but in practice the Senate path falls back to an unaffiliated GitHub dataset and the House path does not implement official retrieval at all. In a trading automation context, this creates a supply-chain and integrity risk: a third-party maintainer or compromised repository could inject false or manipulated trade data that downstream logic may trust for real broker execution.

Intent-Code Divergence

Medium
Confidence
95% confidence
Finding
The documentation states the collector fetches from official government sources, but the actual implemented Senate retrieval uses a community GitHub dataset. This is dangerous because it misrepresents trust boundaries to operators and downstream components, increasing the chance that unofficial, potentially tampered data will be treated as authoritative in an automated financial workflow.

Context-Inappropriate Capability

Medium
Confidence
90% confidence
Finding
This file adds host-level persistence and scheduler management capabilities by installing cron jobs and creating a systemd user service. In the context of a trading/disclosure mirroring skill, that expands the blast radius from application logic into long-lived host modification, which can be abused or cause unintended persistence on user systems.

Context-Inappropriate Capability

Medium
Confidence
86% confidence
Finding
The export_to_json method can write a full dump of internal application data, including trading history, positions, and bot state, to any caller-supplied file path. In a trading automation context, broad export functionality increases the risk of sensitive operational data disclosure and unintended writes to unsafe locations if this method is exposed through higher-level agent actions.

Description-Behavior Mismatch

Medium
Confidence
97% confidence
Finding
This code directly places live broker orders and records execution history, which materially exceeds a passive disclosure-tracking role. In the context of a skill that ingests external congressional trade data and can be run automatically, this creates a real risk of unintended or unauthorized financial transactions if the skill is invoked with broker credentials.

Intent-Code Divergence

Medium
Confidence
92% confidence
Finding
The demo mode claims to perform analysis only, but it still calls analyze_trade_for_execution(), which queries broker/account state and market-open status when a broker is configured. This mismatch can expose account information, trigger unintended side effects in broker integrations, and mislead users into believing no live systems are touched.

Context-Inappropriate Capability

Medium
Confidence
77% confidence
Finding
The interactive export path is fully user-controlled and can write the full trading database to arbitrary filesystem locations. In a privileged or shared environment, this can expose sensitive financial and account data or overwrite files outside the intended data directory, which is riskier in a trading skill that stores broker/account context and trade history.

Context-Inappropriate Capability

Medium
Confidence
86% confidence
Finding
This test utility performs and encourages execution of an authentication helper that is not clearly related to the skill's stated congressional-trading purpose. In a skill package, unexpected auth flows can expand the trust boundary, cause users to run credential-handling code they did not anticipate, and create opportunities for token exposure or abuse through a seemingly unrelated component.

Missing User Warnings

Medium
Confidence
97% confidence
Finding
The report discloses the existence of a live user configuration file, broker credentials, and apparently valid access tokens in a human-readable maintenance document without any masking or privacy warning. In a trading skill, even confirming that credentials and tokens exist materially helps an attacker target credential theft, session hijacking, or social engineering against the operator.

Missing User Warnings

Medium
Confidence
98% confidence
Finding
The embedded CLI output reveals user-specific filesystem paths, broker environment, and a full account identifier, which creates unnecessary exposure of personal and operational details. In the context of an automated trading skill, these details increase the risk of targeted phishing, account correlation, and follow-on attacks against local files or broker integrations.

Missing User Warnings

Medium
Confidence
94% confidence
Finding
The setup instructions direct the agent to solicit and store E*TRADE consumer secrets and account identifiers without a clear privacy and storage warning. In an agent context, asking users to paste brokerage secrets is especially sensitive because the agent may log, echo, or persist them, and the same skill later performs trading actions with those credentials.

Natural-Language Policy Violations

Low
Confidence
89% confidence
Finding
The script hardcodes and displays a specific verification code value in a live authentication context, which is unsafe because users may mistakenly treat a stale or embedded code as valid secret material. In a brokerage trading skill, misleading or embedded authentication artifacts increase the chance of account setup errors, accidental disclosure, or insecure operational practices around OAuth secrets.

Missing User Warnings

High
Confidence
99% confidence
Finding
The script reads sensitive broker credentials from a local config file and immediately prints them without warning or masking. Because this skill is designed for automated broker execution, exposed auth material has direct financial impact: an attacker or unauthorized observer could reuse tokens or secrets to access or manipulate brokerage actions.

Missing User Warnings

Medium
Confidence
95% confidence
Finding
This script serializes OAuth request tokens, request secrets, and API credentials to a predictable file under the user's home directory using pickle, without setting restrictive permissions or warning the user about sensitive local storage. In a trading automation skill tied to a brokerage account, compromise of this file could enable unauthorized account access or facilitate completion of the authentication flow, making the context materially more dangerous than generic token caching.

Missing User Warnings

Medium
Confidence
94% confidence
Finding
The utility prints the first 30 characters of the OAuth access token to stdout during status checks. Even partial credential disclosure can leak into terminal scrollback, logs, screenshots, shell history capture tools, or remote session recordings, increasing the chance of token compromise.

Missing User Warnings

Medium
Confidence
97% confidence
Finding
The script stores OAuth access tokens and secrets on disk in a JSON file under the user's home directory without setting restrictive file permissions or warning the user. In a trading automation context, theft of these credentials could allow unauthorized broker API access and account actions, making local compromise more consequential than in a low-risk application.

Missing User Warnings

Medium
Confidence
90% confidence
Finding
The script's default `check` path can directly authenticate to a broker and execute trades from a non-interactive cron context with no user confirmation, dry-run safeguard, or prominent warning at the point of execution. In an automated trading skill, this creates material risk of unintended financial transactions if the bot logic, upstream disclosures, configuration, or environment are wrong or manipulated.

Missing User Warnings

Medium
Confidence
86% confidence
Finding
The `monitor` path can automatically execute stop-loss orders and other position-management actions in a scheduled, unattended context without an explicit disclosure in the script that real orders may be placed. Because stop-loss execution is destructive and time-sensitive, mistakes in thresholds, market data, or bot state could trigger unwanted sales and financial loss without immediate human review.

Missing User Warnings

Medium
Confidence
79% confidence
Finding
The setup script attempts a privileged system modification by creating or force-replacing a symlink in /usr/local/bin via sudo without explicit confirmation. Even though stderr is suppressed and failure is tolerated, this can unexpectedly alter a system-wide command path and may mask what changed, which is risky in a trading-related skill that users may run with elevated privileges.

VirusTotal

65/65 vendors flagged this skill as clean.

View on VirusTotal