ClawHub

Quant System 5steps

Security checks across malware telemetry and agentic risk

Overview

This skill is a quant-analysis helper that makes expected market-data API calls, with no evidence of credential theft, persistence, destructive actions, or live trading.

Install only if you are comfortable sending queried trading symbols and timing to Binance and Hyperliquid. Treat outputs as research, not trading advice, and verify whether results used real market history or the code's synthetic fallback before making financial decisions.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • MCP Least PrivilegeUnderdeclared Capability, Wildcard Permission, Missing Permission Declaration
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
  • Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
Findings (11)

Lp3

Medium
Category
MCP Least Privilege
Confidence
93% confidence
Finding
The skill advertises network-reliant functionality through multiple external market data sources (Hyperliquid and Binance) and example code that runs a trading pipeline, yet it declares no permissions. Undeclared network capability is dangerous because it prevents users and hosting platforms from making an informed trust decision and can enable silent outbound connections, data exfiltration, or unreviewed third-party API access.

Missing User Warnings

Low
Confidence
84% confidence
Finding
The skill contacts third-party APIs automatically without clearly informing the user that market queries and requested symbols will be transmitted off-host. In an agent-skill context, undisclosed outbound network activity is security-relevant because it can leak user intent, trading interests, or operational metadata to external services.

External Transmission

Medium
Category
Data Exfiltration
Content
# Try Hyperliquid
        try:
            r = requests.post("https://api.hyperliquid.xyz/info", 
                           json={"type": "allMids"}, timeout=10)
            data = r.json()
            coin = symbol.replace("USDT", "")
Confidence
87% confidence
Finding
requests.post("https://

External Transmission

Medium
Category
Data Exfiltration
Content
# Try alternative: Hyperliquid historical (synthesized from current price)
        try:
            coin = symbol.replace("USDT", "")
            r = requests.post("https://api.hyperliquid.xyz/info", 
                            json={"type": "candle", "coin": coin, "interval": "1h", "limit": limit}, 
                            timeout=10)
            data = r.json()
Confidence
89% confidence
Finding
requests.post("https://

External Transmission

Medium
Category
Data Exfiltration
Content
# Try Hyperliquid
        try:
            r = requests.post("https://api.hyperliquid.xyz/info", 
                           json={"type": "allMids"}, timeout=10)
            data = r.json()
            coin = symbol.replace("USDT", "")
Confidence
87% confidence
Finding
requests.post("https://api.hyperliquid.xyz/info", json=

External Transmission

Medium
Category
Data Exfiltration
Content
# Try alternative: Hyperliquid historical (synthesized from current price)
        try:
            coin = symbol.replace("USDT", "")
            r = requests.post("https://api.hyperliquid.xyz/info", 
                            json={"type": "candle", "coin": coin, "interval": "1h", "limit": limit}, 
                            timeout=10)
            data = r.json()
Confidence
89% confidence
Finding
requests.post("https://api.hyperliquid.xyz/info", json=

External Transmission

Medium
Category
Data Exfiltration
Content
# Try Hyperliquid
        try:
            r = requests.post("https://api.hyperliquid.xyz/info", 
                           json={"type": "allMids"}, timeout=10)
            data = r.json()
            coin = symbol.replace("USDT", "")
Confidence
87% confidence
Finding
https://api.hyperliquid.xyz/

External Transmission

Medium
Category
Data Exfiltration
Content
# Try Binance
        try:
            r = requests.get(f"https://api.binance.com/api/v3/ticker/price?symbol={symbol}", timeout=10)
            if r.status_code == 200:
                prices.append(float(r.json()["price"]))
        except:
Confidence
90% confidence
Finding
https://api.binance.com/

External Transmission

Medium
Category
Data Exfiltration
Content
"""Get order book for depth analysis"""
        import requests
        try:
            r = requests.get(f"https://api.binance.com/api/v3/depth?symbol={symbol}&limit=10", timeout=10)
            data = r.json()
            bids = [[float(p[0]), float(p[1])] for p in data.get("bids", [])[:5]]
            asks = [[float(p[0]), float(p[1])] for p in data.get("asks", [])[:5]]
Confidence
89% confidence
Finding
https://api.binance.com/

External Transmission

Medium
Category
Data Exfiltration
Content
"""Get historical OHLCV data"""
        # Try Binance first
        try:
            url = f"https://api.binance.com/api/v3/klines?symbol={symbol}&interval={interval}&limit={limit}"
            r = requests.get(url, timeout=10)
            if r.status_code == 200:
                data = r.json()
Confidence
90% confidence
Finding
https://api.binance.com/

External Transmission

Medium
Category
Data Exfiltration
Content
# Try alternative: Hyperliquid historical (synthesized from current price)
        try:
            coin = symbol.replace("USDT", "")
            r = requests.post("https://api.hyperliquid.xyz/info", 
                            json={"type": "candle", "coin": coin, "interval": "1h", "limit": limit}, 
                            timeout=10)
            data = r.json()
Confidence
89% confidence
Finding
https://api.hyperliquid.xyz/

VirusTotal

63/63 vendors flagged this skill as clean.

View on VirusTotal