ClawHub
Back to skill

Security audit

Vantage — HL Autonomous Trading Agent

Security checks across malware telemetry and agentic risk

Overview

This skill is a mostly coherent autonomous trading agent, but it deserves review because it can place real live trades with a private key and includes broader THORChain routing and optional cloud decisioning than the headline suggests.

Install only if you are comfortable giving this skill a Hyperliquid trading private key and letting it run an autonomous live order loop. Start in paper mode, use a limited-risk wallet, set strict position and risk caps, avoid `OPENAI_API_KEY` unless you accept cloud processing of trading signals, and independently verify any THORChain address, memo, amount, fee, and slippage before moving funds.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
  • MCP Least PrivilegeUnderdeclared Capability, Wildcard Permission, Missing Permission Declaration
  • MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
Findings (12)

Lp3

Medium
Category
MCP Least Privilege
Confidence
92% confidence
Finding
The skill advertises executable behavior that uses environment variables and network access, but does not declare corresponding permissions in its metadata. This reduces transparency and informed consent, especially because the documented workflow involves a private key, public API access, and live order execution, making the undeclared capability set materially security-relevant.

Tp4

High
Category
MCP Tool Poisoning
Confidence
95% confidence
Finding
The documented purpose is a Hyperliquid trading agent, but the detected behavior includes THORChain routing, swap memo generation, inbound address retrieval, pool scanning, and cross-chain/arbitrage tooling that materially expands the operational scope. Hidden or under-disclosed fund-movement functionality is dangerous because users may provide wallet credentials expecting only exchange trading, while the skill may also prepare or facilitate cross-chain asset transfers with different risks and trust assumptions.

Context-Inappropriate Capability

Low
Confidence
80% confidence
Finding
The documentation introduces cross-chain fund movement references that are not central to the stated Hyperliquid trading-agent purpose. While the links are placeholders, this still broadens the implied trust boundary toward moving assets across chains, which can expose users to irreversible transfer mistakes, phishing substitution, or misuse if later populated without clear disclosure.

Description-Behavior Mismatch

High
Confidence
97% confidence
Finding
The file implements THORChain quote, pool scan, and inbound-address utilities, which materially differs from the advertised Hyperliquid perpetual-futures trading functionality in the skill metadata. This kind of capability mismatch is dangerous because operators may grant the skill trust, permissions, or execution pathways based on the manifest description, while the actual code performs unrelated live cross-chain routing actions and external network calls.

Description-Behavior Mismatch

Medium
Confidence
92% confidence
Finding
The skill description promises 'No cloud infra' and local execution, but the decision layer can transmit market signals to OpenAI when OPENAI_API_KEY is configured. This is a real security/privacy mismatch because users may reasonably assume no off-device transmission while the agent can send trading context to a hosted third party.

Missing User Warnings

Medium
Confidence
94% confidence
Finding
The live trading command is presented alongside paper mode without a prominent warning that running it can place real market orders using the configured private key. In the context of an autonomous trading agent, this omission materially increases the chance of accidental live execution, which can immediately cause financial loss through unintended positions, slippage, fees, or liquidation.

Missing User Warnings

Medium
Confidence
96% confidence
Finding
The setup instructions tell users to place a Hyperliquid private key in a .env file without any safety guidance on secure handling, storage, or exclusion from source control. Because this key authorizes signing real orders, poor secret-handling guidance increases the risk of credential leakage via git commits, shell history, backups, logs, or local compromise, potentially leading to unauthorized trading or loss of funds.

Missing User Warnings

Medium
Confidence
95% confidence
Finding
The skill documentation instructs an agent to execute a THORChain swap using inbound addresses and the memo protocol, but it provides no warning that these actions can move real funds irreversibly across chains. In the context of an autonomous trading agent, missing safety language and confirmation requirements increases the chance of accidental asset loss, wrong-chain deposits, or unintended execution by users or downstream agents.

Missing User Warnings

Medium
Confidence
95% confidence
Finding
The skill documents a live trading command immediately alongside paper mode, but does not explicitly warn that running it will submit real market orders using the configured private key. In the context of an autonomous perpetual futures trader, this omission materially increases the chance of accidental real-money trading, leverage exposure, and irreversible losses by users who may assume the command is still safe for testing.

Missing User Warnings

Medium
Confidence
91% confidence
Finding
The setup instructions tell users to copy and populate a .env file with a Hyperliquid private key, but provide no warning about secure storage, exclusion from version control, or the risk of key compromise. Because this skill is designed to sign and execute trades, exposure of that key could allow unauthorized trading or fund loss, making credential-handling guidance especially important in this context.

Missing User Warnings

Medium
Confidence
90% confidence
Finding
The code sends serialized signal data to Ollama or OpenAI for trade decisions, but the CLI help and startup messages do not warn users that signal data may leave the local environment. In a financial trading agent marketed as local-first, lack of disclosure increases the risk of unintended data exposure and undermines informed consent.

Missing User Warnings

Medium
Confidence
87% confidence
Finding
The script reads the user's private key locally to derive an address and then sends the wallet address to Hyperliquid to fetch account state. The private key itself is not transmitted, but the code performs sensitive wallet handling and external account correlation without an explicit warning or consent step, which can surprise users and disclose wallet-linked metadata to third parties.

VirusTotal

66/66 vendors flagged this skill as clean.

View on VirusTotal