ClawHub

Bitpanda V2

Security checks across malware telemetry and agentic risk

Overview

This is a disclosed Bitpanda portfolio helper that reads financial account data, so it is privacy-sensitive but coherent with its purpose.

Install only if you are comfortable letting the agent retrieve raw Bitpanda portfolio and trade data. Use a dedicated read-only Bitpanda API key with the minimum permissions needed, avoid granting trading or withdrawal permissions, and be careful with permanent shell-profile storage because outputs and credentials can be exposed through logs, backups, or shared dotfiles.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
  • Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
Findings (2)

Missing User Warnings

Medium
Confidence
88% confidence
Finding
The skill exposes commands that retrieve balances, holdings, and trade history, all of which are sensitive financial data, but does not warn users about privacy and disclosure risks. In an agent setting, this increases the chance that users run commands without understanding that complete portfolio and transaction information may be displayed, logged, or shared with downstream tools.

Missing User Warnings

Medium
Confidence
95% confidence
Finding
The instructions recommend persisting the Bitpanda API key in environment configuration files such as `~/.bashrc`, which can lead to credential exposure through backups, dotfile sync, shell history mistakes, local compromise, or accidental sharing. Because this is a live financial API credential, leakage could expose portfolio data and potentially enable account actions depending on granted scopes.

VirusTotal

64/64 vendors flagged this skill as clean.

View on VirusTotal