ClawHub

eToro Apps

Security checks across malware telemetry and agentic risk

Overview

This is a transparent eToro API guide, but it should be reviewed because it enables real-money trades and other account changes without built-in confirmation or credential-handling safeguards.

Review before installing. Use demo or read-only eToro credentials unless you explicitly intend live trading, keep tokens and user keys in a secret store, and require the agent to confirm every trade, close, cancellation, feed post, or deletion with the exact account, environment, instrument, size, and target ID before it acts.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
  • Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
Findings (2)

Missing User Warnings

Medium
Confidence
91% confidence
Finding
The skill documents real trading and other state-changing financial operations without requiring explicit user confirmation, risk acknowledgement, or a safety gate between demo and real endpoints. In an agent setting, this increases the chance of unintended live trades or other irreversible account actions from ambiguous prompts, parameter mix-ups, or prompt-injection-driven misuse.

Missing User Warnings

Medium
Confidence
88% confidence
Finding
The authentication section instructs use of bearer tokens, API keys, and user keys but provides no warning about secret handling, storage minimization, redaction, or avoiding logging these values. In agent workflows, credentials are especially likely to be echoed into tool traces, chat history, or debugging logs, which can enable account takeover or unauthorized trading if exposed.

VirusTotal

65/65 vendors flagged this skill as clean.

View on VirusTotal