ClawHub

okx-sentiment-tracker

Security checks across malware telemetry and agentic risk

Overview

The skill is mostly a read-only OKX news and sentiment helper, but one workflow expands into private account position checks and personalized trading guidance without enough scoping or consent language.

Install only if you are comfortable with an OKX CLI that uses live API credentials for news access. Treat the position-impact workflow carefully: it may cause an agent to read private account positions and balances and produce personalized trading guidance, so require explicit confirmation before any account-data access and do not let it place orders without separate approval.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
  • Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
  • MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
Findings (5)

Context-Inappropriate Capability

Medium
Confidence
92% confidence
Finding
The skill explicitly instructs the agent to perform generic web searches and merge those results into the response, which expands the skill from a bounded OKX-only data source into open-ended external network access. That increases prompt-injection, data provenance, and policy-scope risk because arbitrary web content can influence answers despite the skill being presented as an OKX news/sentiment/calendar capability.

Intent-Code Divergence

Medium
Confidence
88% confidence
Finding
The document asserts that all news and sentiment commands are read-only, but later workflows instruct the agent to access account positions and give position-management suggestions. This mismatch can cause unsafe capability escalation because downstream agents or users may trust the read-only claim and permit a workflow that crosses into sensitive portfolio analysis and quasi-trading advice.

Description-Behavior Mismatch

High
Confidence
96% confidence
Finding
This workflow expands a news/sentiment skill into portfolio-impact analysis and actionable guidance tied to user positions, which is a materially different and more sensitive capability. If followed by an agent, it could pull private account data and generate personalized trading recommendations without the user intentionally invoking a portfolio or trading skill.

Context-Inappropriate Capability

High
Confidence
97% confidence
Finding
The documentation explicitly introduces account-access (`positions`, `balance`) and personalized position-management logic in a skill whose stated purpose is market news, sentiment, and macro calendar research. That creates an unjustified path from public-information analysis to private financial data access, increasing the risk of privacy violations, over-privileged execution, and unsuitable financial advice.

Vague Triggers

Medium
Confidence
86% confidence
Finding
The trigger description is extremely broad, covering common phrases like 'latest news', 'market update', and 'daily briefing', which can cause the skill to activate for many generic requests outside its narrow intended scope. Over-broad routing increases the chance of unintended tool use, unnecessary credentialed API access, and invocation in contexts where another safer or more appropriate skill should handle the request.

VirusTotal

64/64 vendors flagged this skill as clean.

View on VirusTotal