ClawHub

TBOT Controller

Security checks across malware telemetry and agentic risk

Overview

This skill mostly matches its TBOT trading-control purpose, but its webhook mode can send authenticated trading signals using local secrets without the promised confirmation guard.

Install only if you intentionally want OpenClaw to inspect and control a TBOT/TradingBoat runtime. Treat json mode as a real authenticated webhook send, not a dry run; use paper trading first, confirm live-vs-paper configuration, keep webhook secrets out of transcripts/logs, and avoid auto-discovered secrets unless you understand which runtime directory is being used.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
  • MCP Least PrivilegeUnderdeclared Capability, Wildcard Permission, Missing Permission Declaration
  • MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
Findings (7)

Lp3

Medium
Category
MCP Least Privilege
Confidence
94% confidence
Finding
The skill documents capabilities to read environment variables and files, invoke shell commands, write files, and make network requests, but it does not declare permissions correspondingly. That creates a trust and policy gap: a caller may assume the skill is lower-risk than it actually is, while the skill can still reach sensitive runtime state and execute operational actions.

Tp4

High
Category
MCP Tool Poisoning
Confidence
97% confidence
Finding
The description emphasizes controlled automation with DB-first queries and lifecycle control on explicit request, but the document also defines a mode that generates and sends webhook payloads capable of triggering trading actions. This mismatch is dangerous because it can mislead users and orchestrators about the skill's true authority, reducing scrutiny around live state-changing network operations.

Intent-Code Divergence

High
Confidence
98% confidence
Finding
The documentation contains a direct contradiction: one section says json mode sends payloads to the TBOT webhook, while another claims no network calls or broker actions are performed. Contradictory safety documentation can cause operators or agents to invoke a state-changing path under the false belief it is inert, increasing the chance of unintended trade execution or signal delivery.

Context-Inappropriate Capability

Medium
Confidence
94% confidence
Finding
The script automatically searches multiple candidate directories for a runtime .env and .keyfile, then derives or retrieves webhook authentication material from them. In a controlled automation interface, this exceeds least-privilege expectations because a caller can trigger secret discovery from local runtime state rather than requiring explicit credential provisioning, increasing the risk of unintended credential use and secret exposure through broader filesystem access assumptions.

Missing User Warnings

High
Confidence
98% confidence
Finding
The skill instructs the agent to infer trading intent and send webhook actions without an explicit warning that this is a live, state-changing network operation. In a trading context, inferred execution can translate natural-language ambiguity into real orders or closes, making the context especially dangerous because the target system controls financial positions.

Ssd 3

High
Confidence
99% confidence
Finding
The skill directs the agent to read a webhook secret from the runtime environment or .env and include it in generated JSON output. This is a direct secret-exposure risk: once surfaced in output, logs, transcripts, or downstream tools, the shared secret can be reused to forge trading webhooks and trigger unauthorized actions.

Autonomous Decision Making

Medium
Category
Excessive Agency
Content
`json` mode generates a schema-valid TradingView-style payload and **sends it** to TBOT via webhook.

Defaults / inference rules (do not ask the user):
- **Webhook URL**: default `http://127.0.0.1:5001/webhook` (override with `TBOT_WEBHOOK_URL`).
- **Webhook key**: read from runtime `.env` (override with `WEBHOOK_KEY`).
- **orderRef**: if not provided, auto-generate `Close_<TICKER>_<QTY>_<epoch_ms>`.
Confidence
93% confidence
Finding
do not ask the user

VirusTotal

64/64 vendors flagged this skill as clean.

View on VirusTotal