ClawHub

Dex Skill

Security checks across malware telemetry and agentic risk

Overview

This appears to be a real crypto trading skill, but it can handle wallet credentials, upload strategy code, and automate live trades, so users should review it carefully before installing.

Install only if you intentionally want an automated crypto trading tool. Prefer signal-only, dry-run, or testnet mode first; use a dedicated low-balance wallet; verify the server and vault URLs; never paste private keys into chat; and review any strategy source before uploading it or enabling live trading.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
  • Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
  • MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
Findings (13)

Description-Behavior Mismatch

Medium
Confidence
90% confidence
Finding
The instructions permit use of the openclaw CLI to send Telegram messages based on generated captions and outputs, which expands the skill from analysis into outbound messaging. If upstream output or captions contain untrusted content, this creates an unintended message-sending channel that could spam users, leak sensitive data, or relay manipulated content outside the expected task scope.

Context-Inappropriate Capability

Medium
Confidence
93% confidence
Finding
Vault setup, status, and deletion operations handle wallet credential lifecycle, which is substantially more sensitive than strategy generation or monitoring. Bundling these capabilities into the same skill increases the blast radius of misuse or prompt-triggered confusion, potentially exposing or altering access to accounts holding real assets.

Context-Inappropriate Capability

High
Confidence
97% confidence
Finding
The client exposes wallet private-key vault setup, status, and deletion features even though the skill is described as strategy creation, backtesting, optimization, and monitoring. Expanding the capability boundary to secret handling materially raises the risk of users being socially engineered into linking or uploading wallet credentials through a trading-assistant workflow, especially in a skill that already encourages automated execution and monitoring.

Context-Inappropriate Capability

Medium
Confidence
94% confidence
Finding
The module derives a stable per-workspace identifier, hashes it into a persistent device ID, stores it locally, and transmits it to a remote registration endpoint to enforce quotas. Even if it avoids MAC/IP collection, this is still persistent tracking unrelated to core strategy generation/backtesting behavior and creates a durable correlation handle for the server.

Intent-Code Divergence

Medium
Confidence
92% confidence
Finding
The comments state that no hardware or network information is collected, but the code uses filesystem workspace metadata as a stable identity source and then performs remote device registration. This mismatch is dangerous because it undermines informed consent and can mislead users and reviewers about the actual tracking behavior of the skill.

Description-Behavior Mismatch

Medium
Confidence
95% confidence
Finding
The file provides live trading capabilities, including market/limit orders, leverage changes, and cancel-all operations, which materially exceed a strategy-generation/backtesting role. In this skill context, that is dangerous because natural-language interactions can directly trigger irreversible financial actions with real funds.

Context-Inappropriate Capability

Medium
Confidence
90% confidence
Finding
The skill depends on and executes an external Node.js CLI from a separately cloned repository, expanding the trust boundary beyond the documented Python framework. This introduces supply-chain and auditability risk because sensitive trading actions are delegated to code outside the declared architecture.

Context-Inappropriate Capability

Medium
Confidence
96% confidence
Finding
The code prepends a hard-coded local directory to Python's import search path before importing core dependencies. In a trading skill that may execute strategy code on a server, this can cause unintended or attacker-controlled modules from that directory to be imported instead of trusted packages, creating a code-execution and environment-coupling risk.

Vague Triggers

High
Confidence
91% confidence
Finding
The trigger phrases are broad enough to match generic words like 'recommend', 'create', 'run', or numeric replies, making accidental activation likely. In a skill that can backtest, deploy monitors, and potentially lead into real trading flows, overbroad activation increases the chance of unintended high-impact actions being initiated from ordinary conversation.

Vague Triggers

Medium
Confidence
87% confidence
Finding
The routing table uses ambiguous catch-all mappings and forces direct execution without sufficient confirmation in some cases. Combined with multi-step numeric continuation rules, this can cause the skill to interpret vague user input as authorization to continue sensitive workflows such as optimization or monitoring.

Missing User Warnings

Medium
Confidence
92% confidence
Finding
The manifest explicitly advertises real-time strategy deployment and execution for cryptocurrency trading, but provides no warning, confirmation requirements, or safety constraints around automated financial actions. In this context, users may treat the skill as low-risk assistance while it can influence or trigger live trading decisions, creating meaningful financial loss potential and possible system-side operational risk.

Missing User Warnings

Medium
Confidence
87% confidence
Finding
In server backtest mode, the code reads the entire local strategy file and uploads it to a remote server, but the user-facing flow does not prominently warn that full source code will be transmitted off-host. In a quant-trading context, strategy scripts may contain proprietary logic, embedded secrets, or sensitive comments, so silent transmission can cause confidentiality loss and accidental disclosure.

Missing User Warnings

High
Confidence
98% confidence
Finding
The methods expose immediate live-trading and order-cancellation actions without any confirmation, policy checks, simulation step, or risk controls. In a trading skill, this is especially dangerous because accidental or manipulated prompts could place, liquidate, or cancel orders and cause direct financial loss.

VirusTotal

64/64 vendors flagged this skill as clean.

View on VirusTotal