ClawHub

Okx Dex Trenches

Security checks across malware telemetry and agentic risk

Overview

The skill is mostly a disclosed read-only crypto research tool, but it can automatically download and execute a remote CLI installer and contains one inconsistent trading next-step suggestion.

Review this before installing. Prefer installing and reviewing the onchainos CLI yourself instead of allowing the skill to auto-download and run installers, require explicit confirmation for any payment or trading-related transition, and ignore the `swap execute` suggestion unless you intentionally move to a separate trading workflow.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
  • MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
Findings (4)

Description-Behavior Mismatch

Medium
Confidence
89% confidence
Finding
The skill is explicitly framed as read-only research, but this section broadens scope into real-time WebSocket monitoring and even directs users to a protocol spec for custom scripts and bots. That expansion can bypass the intended narrow, non-executing research boundary and encourage automation patterns that are harder to supervise, increasing the chance the agent is used for operational trading or surveillance workflows beyond the stated guardrails.

Intent-Code Divergence

High
Confidence
97% confidence
Finding
The skill repeatedly states that write intent must be rerouted and that no swap/execute actions should occur inside this skill, yet the suggested next steps include 'swap execute'. This contradiction weakens the safety boundary, making it more likely an agent will recommend or transition into trading behavior from a supposedly read-only context, which can lead to unauthorized or unsafe asset operations.

Description-Behavior Mismatch

Medium
Confidence
94% confidence
Finding
The shared preflight instructs the agent to install/update software and execute an installer before performing the skill, which exceeds the skill's stated read-only on-chain research purpose. Expanding a read-only skill into local software installation materially increases the attack surface and could lead to unintended code execution on the host if the supply chain or download flow is compromised.

Context-Inappropriate Capability

Medium
Confidence
97% confidence
Finding
These instructions direct the agent to fetch a remote installer and checksum files, then execute the installer script/powershell. Even with checksum verification, this creates a remote code execution path driven by network content and release metadata, which is not justified for a research-only skill and is especially risky in shared or automated agent environments.

VirusTotal

65/65 vendors flagged this skill as clean.

View on VirusTotal