ClawHub

eToro API

Security checks across malware telemetry and agentic risk

Overview

This skill is a legitimate eToro API reference, but it can let an agent place or cancel real-money trades without built-in confirmation safeguards.

Review before installing. Prefer a Virtual/Demo or read-only eToro key, keep keys in secure secret storage, and require the agent to restate and get your explicit approval for real environment, instrument, side, amount or units, leverage, and exact order or position before any live trading action.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
  • Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
Findings (2)

Missing User Warnings

Medium
Confidence
94% confidence
Finding
The skill explicitly enables real trade execution and order/position cancellation but does not require an explicit user confirmation step or present a strong warning for irreversible financial actions. In an agent setting, this increases the risk of accidental or prompt-induced real-money trades, liquidations, or cancellations with direct financial loss.

Missing User Warnings

Medium
Confidence
91% confidence
Finding
The skill instructs users to provide sensitive API credentials, including a user key that can authorize account access and potentially trading, without guidance on secure handling, storage, or redaction. This raises the chance that secrets will be exposed in prompts, logs, traces, or downstream tools, enabling unauthorized account access.

VirusTotal

66/66 vendors flagged this skill as clean.

View on VirusTotal