ClawHub

Bot-to-Bot Arbitrage Framework: Multi-Bot Coordination with Trust Verification

Security checks across malware telemetry and agentic risk

Overview

This is a non-executable arbitrage guide, but its copy-paste examples can affect funds and trading privacy while some safety claims conflict with the shown code.

Review carefully before installing or following the examples. Keep all experiments on sandbox or paper-trading systems, verify the endpoint before running snippets, use isolated least-privilege signing keys, never publish trade details or execution signals to a shared event bus, and do not connect real wallets, exchange accounts, or funds without explicit human approval, limits, and compliance review.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
  • Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
Findings (2)

Intent-Code Divergence

Medium
Confidence
97% confidence
Finding
The guide explicitly recommends revealing opportunity details only to authorized counterparties via encrypted/private channels, but the sample implementation publishes the full preimage to the event bus. That contradiction can leak trade details to unintended observers, enabling front-running, copy trading, or strategy extraction before execution completes.

Intent-Code Divergence

Medium
Confidence
98% confidence
Finding
The coordinator claims each bot should receive only its own leg, but `dispatch_execution` iterates over all legs and publishes each signal without any visibility restriction or recipient binding. In a multi-party arbitrage setting, exposing both sides of the trade can leak the complete opportunity and materially increase MEV/front-running risk.

VirusTotal

64/64 vendors flagged this skill as clean.

View on VirusTotal