ClawHub

nexustrader

Security checks across malware telemetry and agentic risk

Overview

This is a disclosed local crypto-trading bridge, but it can place real orders through configured exchange credentials without a programmatic safety gate.

Install only if you intend to let OpenClaw interact with exchange accounts. Use testnet or read-only/scoped keys first, keep autostart disabled unless needed, verify your agent asks before every order/cancel/modify action, and inspect remote installer commands before running them.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
  • Tool MisuseTool Parameter Abuse, Chaining Abuse, Unsafe Defaults
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
Findings (4)

Context-Inappropriate Capability

Medium
Confidence
84% confidence
Finding
The bridge can launch a background daemon via a local shell script, which expands its capabilities from a simple client into local process control. In a trading skill context, this is more sensitive because it can automatically bring up infrastructure that has access to exchange credentials and order-placement functions.

Missing User Warnings

Medium
Confidence
96% confidence
Finding
The bridge forwards arbitrary tool calls directly to the MCP server, including order-placement operations, without any runtime confirmation, allowlist, or extra friction for destructive actions. In a live trading context this is dangerous because a mistaken, malformed, or prompt-induced invocation can place real orders immediately using configured exchange credentials.

External Script Fetching

Low
Category
Supply Chain
Content
# 2. 安装 uv(如未安装)
# Linux / macOS:
curl -LsSf https://astral.sh/uv/install.sh | sh
# Windows (PowerShell):
# powershell -ExecutionPolicy ByPass -c "irm https://astral.sh/uv/install.ps1 | iex"
```
Confidence
95% confidence
Finding
curl -LsSf https://astral.sh/uv/install.sh | sh

Chaining Abuse

High
Category
Tool Misuse
Content
# 2. 安装 uv(如未安装)
# Linux / macOS:
curl -LsSf https://astral.sh/uv/install.sh | sh
# Windows (PowerShell):
# powershell -ExecutionPolicy ByPass -c "irm https://astral.sh/uv/install.ps1 | iex"
```
Confidence
97% confidence
Finding
| sh

VirusTotal

67/67 vendors flagged this skill as clean.

View on VirusTotal