ClawHub

crypto-trader

Security checks across malware telemetry and agentic risk

Overview

This is a disclosed crypto trading skill, but it can make or cancel live financial orders through broad agent-triggered commands without an enforceable confirmation gate in the runtime code.

Review carefully before installing. Keep CRYPTO_DEMO=true unless you intentionally want live trading, use exchange API keys with withdrawal permissions disabled, start only small strategies after an explicit confirmation, and be aware that emergency-stop can cancel all open orders across configured exchanges.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
  • Taint TrackingDirect Taint Flow, Variable-Mediated Taint Flow, Credential Exfiltration Chain
  • MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
Findings (13)

Tainted flow: '_STATE_PATH' from os.environ.get (line 23, credential/environment) → open (file write)

Medium
Category
Data Flow
Content
def _save_state(self) -> None:
        _STATE_PATH.parent.mkdir(parents=True, exist_ok=True)
        with open(_STATE_PATH, "w", encoding="utf-8") as fh:
            json.dump(self._state, fh, indent=2, default=str)

    # ------------------------------------------------------------------
Confidence
93% confidence
Finding
with open(_STATE_PATH, "w", encoding="utf-8") as fh:

Tainted flow: '_PID_PATH' from os.environ.get (line 27, credential/environment) → open (file write)

Medium
Category
Data Flow
Content
@staticmethod
    def _write_pid() -> None:
        _PID_PATH.parent.mkdir(parents=True, exist_ok=True)
        with open(_PID_PATH, "w") as fh:
            fh.write(str(os.getpid()))

    @staticmethod
Confidence
95% confidence
Finding
with open(_PID_PATH, "w") as fh:

Tainted flow: 'webhook_url' from os.environ.get (line 218, credential/environment) → requests.post (network output)

Critical
Category
Data Flow
Content
try:
            import requests
            payload = {"content": message}
            resp = requests.post(webhook_url, json=payload, timeout=10)
            if resp.status_code in (200, 204):
                return True
            logger.error("Discord webhook error: %d %s", resp.status_code, resp.text)
Confidence
89% confidence
Finding
resp = requests.post(webhook_url, json=payload, timeout=10)

Tainted flow: '_STATE_PATH' from os.environ.get (line 27, credential/environment) → open (file write)

Medium
Category
Data Flow
Content
def _save_state(self) -> None:
        _STATE_PATH.parent.mkdir(parents=True, exist_ok=True)
        with open(_STATE_PATH, "w", encoding="utf-8") as fh:
            json.dump(self._state, fh, indent=2, default=str)

    def _reset_daily_if_needed(self) -> None:
Confidence
90% confidence
Finding
with open(_STATE_PATH, "w", encoding="utf-8") as fh:

Tainted flow: '_STATE_PATH' from os.environ.get (line 27, credential/environment) → open (file write)

Medium
Category
Data Flow
Content
"updated_at": datetime.now(timezone.utc).isoformat(),
        }
        _STATE_PATH.parent.mkdir(parents=True, exist_ok=True)
        with open(_STATE_PATH, "w", encoding="utf-8") as fh:
            json.dump(state, fh, indent=2, default=str)
Confidence
89% confidence
Finding
with open(_STATE_PATH, "w", encoding="utf-8") as fh:

Description-Behavior Mismatch

Medium
Confidence
94% confidence
Finding
The file advertises copy-trading capability but the core monitoring functions are stub implementations that always return no signals. In a trading skill, this is a security-relevant integrity issue because operators may rely on a strategy they believe is actively monitoring and mirroring trades when it is in fact non-functional, leading to unsafe automation assumptions, missed market actions, and misleading risk posture.

Vague Triggers

Medium
Confidence
87% confidence
Finding
The invocation guidance is broad enough to match ordinary questions about crypto trading, portfolio management, or market analysis, which can cause the skill to activate in situations where the user only wanted information. In a skill that can access balances, exchange accounts, and potentially execute strategies, overbroad triggering increases the risk of unintended high-impact actions or disclosure of sensitive financial data.

Vague Triggers

Medium
Confidence
93% confidence
Finding
The emergency-stop examples include generic phrases like 'Emergency!' and 'Stop everything!', which overlap with normal conversational language and could be triggered accidentally or by ambiguous user input. In this context, the action cancels all open orders across all exchanges, stops all strategies, and flips a persistent kill switch, so a false trigger can cause immediate financial disruption and operational downtime.

Missing User Warnings

Medium
Confidence
95% confidence
Finding
The cancellation methods directly perform destructive trading actions without any built-in confirmation, policy gate, or safety interlock. In an agent skill context, this increases the chance that a prompt injection, agent misinterpretation, or accidental invocation could cancel legitimate orders and disrupt active trading strategies.

Missing User Warnings

Medium
Confidence
94% confidence
Finding
The emergency_stop path immediately stops all strategies, cancels all orders on all configured exchanges, and activates a kill switch with no confirmation, dry-run, or explicit safeguard. In a live trading context this can cause immediate financial disruption, forced liquidation of strategy state, or unintended interference if triggered accidentally or by an upstream agent misunderstanding the request.

Missing User Warnings

Medium
Confidence
91% confidence
Finding
The start_strategy and stop_strategy operations can alter live market behavior by initiating or halting automated trading, yet they accept direct execution without any user-facing warning, environment guard, or confirmation. Because this skill explicitly supports LIVE trading across multiple exchanges, accidental invocation or prompt/agent misuse could lead to unwanted trades, missed exits, or disrupted portfolio management.

Missing User Warnings

Medium
Confidence
88% confidence
Finding
This strategy automatically emits market buy and sell orders based on portfolio drift, with no explicit confirmation gate, user warning, or dry-run safeguard at the point of action generation. In a live crypto-trading skill, these orders can cause immediate and irreversible execution, especially during volatile markets or if configuration, balances, or pricing data are wrong.

Missing User Warnings

Medium
Confidence
93% confidence
Finding
The strategy generates executable buy and sell signals for a live trading system without any explicit confirmation, warning, or paper-trading guard at the strategy layer. In the context of a crypto auto-trading skill, this increases the chance that a user or upstream agent will trigger real market activity and financial loss without clear user awareness, especially because the code emits market and limit orders directly based on live data.

VirusTotal

64/64 vendors flagged this skill as clean.

View on VirusTotal