ClawHub

Envy Trading System

Security checks across malware telemetry and agentic risk

Overview

This appears to be a real crypto trading skill, but it stores wallet secrets in plaintext and can use them for live trading with limited runtime safeguards.

Review carefully before installing. Use paper mode unless you explicitly intend live trading, do not fund the generated wallet with more than you can afford to lose, inspect controller.yaml before starting the controller, and understand that wallet.json and config.json may contain reusable secrets in plaintext.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
  • Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
  • MCP Least PrivilegeUnderdeclared Capability, Wildcard Permission, Missing Permission Declaration
  • MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
Findings (13)

Lp3

Medium
Category
MCP Least Privilege
Confidence
91% confidence
Finding
The skill advertises and documents capabilities that require environment-variable access and network access, yet those permissions are not explicitly declared. In a trading and wallet-management context, this weakens the trust boundary around sensitive operations because the skill can reach external services and use secrets without transparent permission scoping.

Context-Inappropriate Capability

High
Confidence
99% confidence
Finding
The README explicitly instructs users to run a command that prints their mnemonic and private key in plaintext, then import that key into MetaMask. Exposing seed material on screen or in terminal history creates an immediate path to wallet compromise and total loss of funds, especially dangerous in a trading skill that later enables live trading.

Description-Behavior Mismatch

Medium
Confidence
84% confidence
Finding
Claiming the agent 'handles everything' and starts paper trading automatically encourages users to delegate financial setup and trading actions without clear consent boundaries. In a trading context, ambiguous automation can lead to unintended account changes, monitor startup, subscription actions, or later escalation toward live trading workflows.

Context-Inappropriate Capability

Medium
Confidence
98% confidence
Finding
The code creates a wallet, persists the private key and mnemonic in plaintext to wallet.json, and the wallet command prints both secrets back to stdout. In a skill that may be invoked for trading and wallet-related tasks, exposing seed material is extremely dangerous because any local compromise, log capture, screen capture, or accidental sharing can irreversibly transfer funds.

Vague Triggers

Medium
Confidence
77% confidence
Finding
The broad trigger phrase 'Set me up for trading' is generic enough that the skill could activate on ordinary conversational requests and initiate consequential financial workflows. Because this skill manages strategies, monitoring, and trading state, overly broad invocation increases the risk of unintended execution and user confusion.

Missing User Warnings

High
Confidence
99% confidence
Finding
The README tells users to expose mnemonic and private key material without any explicit warning that these secrets grant complete control over funds. In the context of a crypto trading skill that can switch to live trading and reuse the same wallet for subscriptions and exchange funding, this dramatically increases the blast radius of a single mistake or compromise.

Vague Triggers

Medium
Confidence
94% confidence
Finding
The invocation description is extremely broad and includes high-risk wallet topics such as mnemonic, private key, seed phrase, MetaMask import, and wallet connection. That broad routing can cause the skill to activate on generic wallet-related requests and steer users into sensitive wallet-export flows, which is especially dangerous in a trading skill that also interfaces with live funds.

Missing User Warnings

High
Confidence
96% confidence
Finding
The controller can execute real Hyperliquid trades automatically once configured, and although the config has a `confirm` field, the code never enforces a confirmation gate before `marketBuy`, `marketSell`, or close operations. In a trading skill that can access a live wallet and react to monitor output, this creates a direct path to unintended or unauthorized financial transactions.

Missing User Warnings

Medium
Confidence
88% confidence
Finding
The code automatically loads wallet credentials from `wallet.json` or environment variables and then uses the private key to sign live trades via an external executor. In the context of a crypto trading skill that explicitly manages wallets and live execution, implicit credential pickup materially increases the chance of accidental live trading and expands the blast radius if local files or environment state are compromised.

Missing User Warnings

High
Confidence
99% confidence
Finding
Wallet creation silently writes address, private key, and mnemonic to disk without notice or consent at the moment of creation. The lack of disclosure is especially risky in this skill context because users may believe they are only using market-analysis features, not authorizing local creation and persistence of highly sensitive wallet credentials.

Missing User Warnings

Medium
Confidence
90% confidence
Finding
The API key is written to config.json without clear disclosure that a credential is being persisted locally. This can expose subscription/payment credentials to other local users, backup systems, or malware, especially if the working directory is shared or insufficiently protected.

Missing User Warnings

Medium
Confidence
91% confidence
Finding
Referral redemption automatically saves the returned API token to disk with no advance notice. In a finance-related skill that already handles wallet and payment flows, silent credential persistence increases the chance that users unknowingly leave reusable access tokens on disk where they can be stolen or misused.

Missing User Warnings

Medium
Confidence
91% confidence
Finding
The subscription flow auto-saves the issued API token after payment without notifying the user that a credential will be persisted. Because this skill operates in a crypto/trading context, silently retaining paid-access credentials expands the blast radius of local compromise and can lead to unauthorized usage or billing-related abuse.

VirusTotal

61/61 vendors flagged this skill as clean.

View on VirusTotal