ClawHub

Okx Defi Invest

Security checks across malware telemetry and agentic risk

Overview

This instruction-only DeFi skill is not malicious, but it needs Review because its transaction-capable wallet workflows are high impact and its routing rules conflict with protocol-specific examples.

Install only if you want an OKX-related agent to prepare DeFi transactions and you are comfortable reviewing financial actions before signing. Treat any invest, withdraw, collect, approve, or contract-call step as real asset-moving activity; verify the chain, protocol, wallet address, spender, amount, slippage, approval scope, and calldata, and route requests naming a specific DApp to the intended DApp-discovery skill instead.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
  • MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
Findings (5)

Description-Behavior Mismatch

High
Confidence
94% confidence
Finding
The reference explicitly documents named third-party platforms such as Aave V3, Lido, and PancakeSwap inside a skill whose manifest says named DApps must be routed elsewhere. That mismatch can cause the agent to execute out-of-scope protocol-specific actions under the wrong skill, weakening routing controls and increasing the chance of unsafe or incorrect transaction generation.

Description-Behavior Mismatch

High
Confidence
97% confidence
Finding
The `defi search` command allows `--platform` targeting and even gives protocol-specific examples, directly contradicting the manifest's requirement that users naming a third-party protocol must not use this skill. In an agent setting, this creates a concrete path for prompt or routing bypass: a user can steer the supposedly agnostic skill toward a specific external protocol and then proceed to transaction preparation and execution.

Description-Behavior Mismatch

High
Confidence
98% confidence
Finding
The examples instruct use of named protocols like PancakeSwap and Aave within this skill, which normalizes violating the manifest's routing boundary. Because these examples include transaction-building flows, they can train or prime the agent to perform protocol-specific deposits, redemptions, and claims in the wrong skill, undermining separation-of-duties safeguards.

Missing User Warnings

Medium
Confidence
88% confidence
Finding
The examples describe generating calldata and then signing/broadcasting it, but do not prominently warn that these are real asset-moving blockchain operations with irreversible consequences. In a transaction-capable agent context, missing safety language increases the risk that users or downstream agents treat the examples as harmless reads rather than live financial actions.

Missing User Warnings

Medium
Confidence
90% confidence
Finding
The deposit/redeem docs note `APPROVE` operations in `dataList` but do not clearly warn that executing them grants token allowances to third-party contracts, which can persist beyond the immediate transaction. In DeFi workflows, silent allowance creation is a meaningful risk because overbroad or misunderstood approvals can later enable unintended token transfers if the spender is compromised or misused.

VirusTotal

65/65 vendors flagged this skill as clean.

View on VirusTotal