ClawHub

Trading Bot Fleet Management: Unified Control for Multi-Bot Operations

Security checks across malware telemetry and agentic risk

Overview

This is a coherent trading-bot management guide, but it should be reviewed carefully because some high-impact safety and credential details are under-specified or inconsistent.

Install only if you are prepared to audit the examples before using them with real bots or funds. Treat the GreenHelix API key and signing key as sensitive, use sandbox or least-privilege credentials first, verify that key rotation actually updates the authoritative identity, and do not rely on the documented automatic SLA pause unless you implement and test that enforcement yourself.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
  • Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
Findings (2)

Intent-Code Divergence

High
Confidence
95% confidence
Finding
The guide states that key rotation updates the registered GreenHelix identity, but the implementation only submits metrics and sends a message with a new public key. That mismatch can leave the authoritative identity bound to the old key while operators believe rotation succeeded, causing failed authentication, broken trust checks, or continued acceptance of a compromised key.

Intent-Code Divergence

High
Confidence
93% confidence
Finding
The documentation promises automatic pausing on critical SLA violations, but the code only logs and alerts. In a trading context, this gap can allow a bot exceeding drawdown or latency limits to continue operating unchecked, increasing financial loss and preventing operators from relying on documented safety controls during incidents.

VirusTotal

66/66 vendors flagged this skill as clean.

View on VirusTotal