ClawHub

World Cup Assist Value Trading

Security checks across malware telemetry and agentic risk

Overview

This is a dry-run sports trading signal skill, but it under-discloses API key use and discusses live scheduled trading without clear user approval or safeguards.

Review this carefully before installing. Treat it as a dry-run signal generator only unless you add explicit live-trading controls, understand the financial risk, and are comfortable providing SIMMER_API_KEY and TAVILY_API_KEY for outbound requests to Simmer and Tavily.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
  • Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
Findings (2)

Missing User Warnings

Medium
Confidence
88% confidence
Finding
The notes explicitly plan a transition from dry-run behavior to actual Simmer API trading and scheduled automated execution, but they do not include any warning, gating, or approval requirement for real-money financial actions. In an agent skill context, this can normalize or enable unattended automated trading without clear user consent, risk disclosure, or operational safeguards, increasing the chance of financial loss from bad signals, unreliable scraped data, or misconfiguration.

Missing User Warnings

Medium
Confidence
81% confidence
Finding
The script performs authenticated outbound requests to third-party services using environment-sourced API keys without any user-facing disclosure, consent, or warning. In agent/skill contexts, silent network activity with attached credentials is risky because operators may not realize secrets are being used or what external services receive data.

VirusTotal

65/65 vendors flagged this skill as clean.

View on VirusTotal