ClawHub

Thetaedge Skill

Security checks across malware telemetry and agentic risk

Overview

The skill is a coherent ThetaEdge finance integration, but it needs review because it handles sensitive financial data and includes under-warned actions that may execute trading opportunities.

Review before installing. Use this only if you intend to let an agent send financial prompts and account-scoped ThetaEdge data to the ThetaEdge API. Treat the ThetaEdge key like a sensitive financial credential, verify the config file permissions, avoid sharing or backing up those config files, and require explicit human confirmation before any `act` or execute-style opportunity action. Use SSH agent forwarding in the VM setup only for trusted, short-lived sessions.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
  • MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
Findings (8)

Description-Behavior Mismatch

Medium
Confidence
89% confidence
Finding
The code persists API credentials into local agent configuration files and modifies host-side settings, which exceeds the stated end-user finance/trading capability of the skill. In a skill ecosystem, undisclosed persistence and config mutation increase the attack surface because they create durable access and may affect other tooling contexts beyond a single session.

Vague Triggers

Medium
Confidence
94% confidence
Finding
The trigger scope is extremely broad ('any finance, investing, or trading related tasks' and 'any related topic'), which can cause the skill to activate for ordinary conversations and send sensitive prompts, portfolio details, or account-scoped requests to an external service unnecessarily. In a finance context, overbroad invocation materially increases privacy and data-exposure risk because user queries may contain holdings, transactions, and account identifiers.

Missing User Warnings

Medium
Confidence
96% confidence
Finding
The skill handles highly sensitive financial context—portfolio analysis, transactions, positions, account IDs, and web queries—but does not clearly warn users that this information may be transmitted to the ThetaEdge API. Without an explicit disclosure, users may unknowingly expose personal financial data to a third party, especially when the skill is user-invocable across broad finance topics.

Missing User Warnings

Medium
Confidence
92% confidence
Finding
The guide explicitly instructs users to enable SSH agent forwarding into the VM and even verify it by authenticating to GitHub, but it does not warn that any process with access to the forwarded agent socket inside the VM may be able to use the host's SSH identities. If the VM, OpenClaw, Claude Code, or a dependency is compromised, the attacker could pivot by using the forwarded agent to access private repositories or other SSH-trusted systems during that session.

Missing User Warnings

High
Confidence
93% confidence
Finding
This endpoint can perform real financial actions against a user's brokerage-linked opportunity, yet the reference does not prominently warn that `action: "act"` may execute a live account action with monetary consequences. In a finance/trading skill, ambiguous or under-warned action endpoints materially increase the risk of harmful agent-driven execution, especially if user prompts are interpreted loosely.

Missing User Warnings

Medium
Confidence
91% confidence
Finding
The health check reads the configured API key and includes a partially masked version in terminal/JSON output. Even partial secrets can aid correlation, leak identifiable credential prefixes into logs, CI output, shell history captures, or screenshots, and there is no warning or opt-in before exposing secret material.

Missing User Warnings

Medium
Confidence
92% confidence
Finding
The installer prompts for a ThetaEdge API key and writes it directly into ~/.openclaw/openclaw.json, but it does not explicitly warn the user that the secret will be stored in plaintext on disk. Although the script sets file permissions to 600, plaintext persistence still increases exposure through local compromise, backups, dotfile syncing, accidental disclosure, or later permission changes. In a finance/trading skill, the credential may grant access to sensitive market, portfolio, or brokerage-adjacent data, which increases the sensitivity of the stored secret.

Missing User Warnings

Medium
Confidence
91% confidence
Finding
Writing API credentials to persistent local configuration without clear user-facing disclosure is risky because users may not realize secrets are being stored durably or where they reside. In a multi-agent/tooling environment, this can lead to unintended credential exposure through backups, file sharing, or access by other local processes/users.

VirusTotal

65/65 vendors flagged this skill as clean.

View on VirusTotal