ClawHub

Aicoin Trading

Security checks across malware telemetry and agentic risk

Overview

This is a real crypto trading skill, but it contains under-disclosed paths that can place or cancel live leveraged trades without the documented confirmation flow.

Install only if you intentionally want an agent to access live crypto exchange accounts. Use least-privilege API keys with withdrawals disabled, avoid the auto-trade and trade.mjs paths unless reviewed, require manual confirmation for every order, cancellation, close, leverage, margin, or transfer action, and review the .env probing plus broker/referral behavior before providing credentials.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
  • Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
  • MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
Findings (7)

Intent-Code Divergence

Medium
Confidence
88% confidence
Finding
The skill explicitly says Hyperliquid orders must be routed to the onchain skill, but later documents Hyperliquid as a supported exchange/format. In an execution-oriented trading skill, this inconsistency can cause an agent to route or format orders incorrectly, leading to unintended trading behavior or use of the wrong backend for live orders.

Intent-Code Divergence

Low
Confidence
90% confidence
Finding
The script discloses local environment information when a key is found by returning both a partial API key preview and the exact .env file path. While this is not remote code execution or key exfiltration, it unnecessarily exposes sensitive local metadata that can aid fingerprinting of the user's environment or confirm credential presence to downstream consumers.

Intent-Code Divergence

High
Confidence
99% confidence
Finding
The security notice is materially misleading: it states keys are only for market data and cannot perform trading, while this file clearly supports authenticated trading, leverage changes, transfers, order cancellation, and position closing. Users may be induced to provide exchange API keys under false safety assumptions, which increases the likelihood of unauthorized or overly broad credential use.

Vague Triggers

Medium
Confidence
93% confidence
Finding
The trigger list includes very broad words like '买', '卖', 'long', 'short', and '下单', which can appear in ordinary discussion, analysis, or non-CEX contexts. That increases the chance this high-risk trading skill is invoked when the user did not intend to place an exchange order, creating a path to accidental order previews or destructive follow-on actions after minimal clarification.

Missing User Warnings

Medium
Confidence
90% confidence
Finding
`cancel_order` is a state-changing trading action, but the documentation provides no preview, warning, or explicit confirmation requirement comparable to create-order and close-position flows. In a live trading context, silent cancellation can remove protective limit, stop-loss, or take-profit orders and materially increase user risk.

Missing User Warnings

High
Confidence
96% confidence
Finding
The open and close actions can execute real market orders and cancel orders immediately, with no explicit interactive confirmation, dry-run mode, or safety interlock in this file. In an agent-skill context, that is dangerous because an LLM, prompt injection, or user misunderstanding could trigger irreversible financial transactions and position changes with direct monetary loss.

Missing User Warnings

Medium
Confidence
89% confidence
Finding
The code automatically runs 'npm install --omit=dev' via execSync when ccxt is missing, without explicit user confirmation at the point of execution. This executes package-manager lifecycle behavior and pulls code from the dependency supply chain, creating avoidable risk in a security-sensitive trading tool.

VirusTotal

VirusTotal findings are pending for this skill version.

View on VirusTotal