Claw Trader Lite

Security checks across malware telemetry and agentic risk

Overview

This skill appears to be a read-only market monitor, with the main caution that adding a wallet address lets it retrieve portfolio information for that address.

Reasonable to install for read-only market monitoring if you trust the publisher. Do not provide private keys or trading API secrets. Set HYPERLIQUID_ACCOUNT_ADDRESS only if you are comfortable letting the agent and Hyperliquid API query balances and open positions for that public address, and independently verify any external Claw Pro or Telegram trading offer before engaging with it.

SkillSpector

By NVIDIA

Vulnerability Patterns

Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep

Findings (1)

Missing User Warnings

Low

Confidence: 95% confidence
Finding: The documentation encourages users to provide a wallet address to retrieve balances and positions, but it does not clearly warn that this address can be linked to portfolio activity via external APIs. Even though the address is public on-chain, aggregating it through this skill exposes sensitive financial visibility and may surprise users who assume 'read-only' implies no privacy risk.

VirusTotal

64/64 vendors flagged this skill as clean.

View on VirusTotal