ClawHub

Hyperliquid Trading Agent

Security checks across malware telemetry and agentic risk

Overview

This is a disclosed trading-agent skill, but it can control real-money automated trading and has under-guarded state changes and secret-handling gaps that should be reviewed before installation.

Install only if you intend to give this skill real trading-agent authority. Use a dedicated revocable ZoneIn API key, prefer HITL mode over auto mode, review every command before approval, set withdrawal whitelists and loss limits, avoid pasting Telegram bot tokens into shared logs or transcripts, and be especially careful with agent-update, agent-delete, and telegram-disable because they do not have a programmatic confirmation gate.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
  • Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
Findings (7)

Vague Triggers

Medium
Confidence
82% confidence
Finding
The trigger phrases are broad and overlap with common market-analysis requests such as general questions about trading signals, market analysis, or whale activity. That can cause the skill to activate in contexts where the user did not intend to invoke a live-trading-capable integration, increasing the chance of unnecessary data access, confusing routing, or escalation into financial workflows.

Vague Triggers

Medium
Confidence
88% confidence
Finding
The intent mapping uses broad, natural-language phrases like 'safe', 'balanced', 'follow whales', and 'go big' to automatically choose trading agent types. In a trading skill, ambiguous or overly permissive mappings can misclassify user intent and silently select a materially different risk profile, leverage style, or asset class, which may lead to unsafe autonomous trading behavior or unintended execution.

Missing User Warnings

Medium
Confidence
88% confidence
Finding
The workflow instructs users to paste a Telegram bot token directly into commands without any explicit credential-handling warning. In an agent/chat environment, this increases the risk that secrets are exposed in chat history, logs, terminal history, telemetry, screenshots, or shared sessions, which could let an attacker take over the bot and intercept or spoof trading notifications and approvals.

Missing User Warnings

Medium
Confidence
95% confidence
Finding
The document explicitly describes an `auto` mode that executes trades immediately on Hyperliquid, but it does not pair that capability with a clear warning about real financial loss, irreversible market actions, slippage, liquidation risk, or the dangers of LLM-driven decision errors. In the context of an autonomous trading agent, this omission is material because users may enable full automation without understanding that model mistakes or bad signals can rapidly cause losses.

Missing User Warnings

Medium
Confidence
88% confidence
Finding
The script accepts a Telegram bot token and transmits it to the remote API without any local warning, confirmation gate, or masking guidance. In an agent setting, high-value credentials passed on the command line are easy to mishandle, leak via logs/history, or be forwarded without the user understanding the sensitivity.

Missing User Warnings

High
Confidence
96% confidence
Finding
Agent deletion is a destructive state-changing operation with no confirmation requirement, unlike several other financial actions in the script. In this trading context, accidental or agent-induced deletion could disrupt active strategies, remove configuration, and potentially interfere with access to managed funds or audit trails.

Missing User Warnings

Medium
Confidence
82% confidence
Finding
Disabling Telegram notifications and removing the webhook changes the user's monitoring and control channel but is executed without confirmation. In a HITL trading workflow, silently severing that channel can cause missed approvals, alerts, or incident notifications, increasing operational risk.

VirusTotal

VirusTotal engine telemetry is currently stale for this artifact.

View on VirusTotal