ClawHub

Simmer Weather Trader

Security checks across malware telemetry and agentic risk

Overview

This is a real weather-trading bot, but it needs Review because it can place trades while some documented safety controls are missing or weaker than promised.

Install only after reviewing and tightening the trading controls. Require an actual dry-run default or explicit live-trading opt-in, add a final confirmation before every order, restrict authorized Telegram users, enforce true four-source numeric agreement, and disclose all required credentials and external services. The evidence supports Review rather than malicious: static scan was clean, VirusTotal was only stale telemetry, and I found no hidden exfiltration or destructive local behavior.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
  • MCP Least PrivilegeUnderdeclared Capability, Wildcard Permission, Missing Permission Declaration
  • MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
Findings (12)

Lp3

Medium
Category
MCP Least Privilege
Confidence
92% confidence
Finding
The skill documentation indicates it reads environment variables and makes network calls, but it does not declare corresponding permissions. Missing permission declarations reduce transparency and prevent users or hosting platforms from understanding that the skill can access secrets and communicate with external services, which is especially risky for an automated trading bot handling API keys and trade execution.

Tp4

High
Category
MCP Tool Poisoning
Confidence
97% confidence
Finding
The documented behavior materially differs from the analyzed behavior: the skill exposes a Telegram control interface, performs live trading, queries account/position data, runs health checks, and does not actually implement the claimed Polymarket support or the stated four-source ±1°F consensus logic. In a financial automation context, these discrepancies can mislead users about risk, decision criteria, and externally exposed surfaces, causing them to authorize a bot they do not fully understand.

Description-Behavior Mismatch

Medium
Confidence
89% confidence
Finding
The README describes a strict multi-source weather-consensus trading bot, but it also introduces an additional AI reasoning gate via DeepSeek/NVIDIA that materially affects whether trades occur. This mismatch can mislead users, auditors, or remixers about the actual decision logic, reducing transparency for a system that performs autonomous financial actions.

Description-Behavior Mismatch

High
Confidence
99% confidence
Finding
The skill advertises trading only when all four forecasts agree within ±1°F, but the enforcement logic sets `sources_agree = spread_3 <= 1`, which excludes the FourcastNet result from the agreement gate. In a weather-trading bot, this can cause trades to execute under materially weaker conditions than promised, undermining risk controls and potentially triggering bad trades when the AI/model forecast disagrees sharply with the other sources.

Intent-Code Divergence

High
Confidence
96% confidence
Finding
The documentation and interface state that FourcastNet serves as the 4th independent forecast source, but the implemented decision logic does not actually require its agreement for trading. This mismatch is security-relevant because users may rely on the stated safeguard when delegating automated trading authority, while the code silently applies a weaker policy than represented.

Description-Behavior Mismatch

Medium
Confidence
89% confidence
Finding
This file includes functions to retrieve positions, agent account details, and full briefing data, which go beyond the stated weather-trading purpose. Even if these are read-only, exposing broader account introspection expands the skill’s privilege surface and increases the amount of sensitive operational data available to the skill or to any downstream component that can invoke it.

Description-Behavior Mismatch

Medium
Confidence
95% confidence
Finding
The manifest claims a four-source consensus strategy, but execute_trade performs a live trade without any verification in this file that such consensus was actually computed or satisfied. This creates a trust gap where operators may believe trades are constrained by strict forecast validation when, in practice, this component can place orders independently if called.

Description-Behavior Mismatch

High
Confidence
97% confidence
Finding
The code can set the score directly to 100 when the FourcastNet-derived flags are all true, but it never verifies that FourcastNet's forecast temperature is actually within ±1°F of NOAA, Open-Meteo, and Wunderground as the skill description promises. In an automated trading context, this mismatch between advertised policy and implemented logic can cause trades to execute on weaker-than-claimed consensus, increasing the chance of bad trades and misleading users about the bot's safeguards.

Missing User Warnings

Medium
Confidence
95% confidence
Finding
The skill mentions a `--live` flag but does not prominently warn that enabling it can place real-money trades. For an automated trading skill, inadequate disclosure increases the chance of accidental financial loss, especially when combined with remote controls like Telegram and broad external data dependencies.

Missing User Warnings

Medium
Confidence
86% confidence
Finding
The README explains how the bot can execute trades and exposes commands like 'Predict & Bet' without a clear warning that these are financial actions affecting account positions and balances. For an automated trading skill, insufficient user warning increases the risk of unintended or uninformed account activity, especially if remixed or deployed by less technical users.

Missing User Warnings

High
Confidence
97% confidence
Finding
execute_trade issues a real POST to the trade endpoint with market ID, side, amount, and venue, and there is no user confirmation, dry-run mode, secondary approval, or explicit safety interlock. In an automated agent setting, this enables immediate irreversible financial actions from a single code path, making mistakes, prompt injection elsewhere, or misuse materially harmful.

Missing User Warnings

Medium
Confidence
94% confidence
Finding
The bot executes `execute_trade(...)` immediately once its automated criteria are met, with no explicit user confirmation step, pre-trade summary, or chance to cancel. In a Telegram UI for real-money or value-bearing prediction-market trading, a mistaken tap, stale market selection, bad upstream data, or manipulated forecast/AI output can directly trigger an irreversible financial action.

VirusTotal

VirusTotal engine telemetry is currently stale for this artifact.

View on VirusTotal