ClawHub

Molt Pmxt

Security checks across malware telemetry and agentic risk

Overview

This prediction-market skill is purpose-aligned, but it needs review because it uses private trading credentials and can submit live money orders without an enforced confirmation gate.

Install only if you intentionally want an agent to access prediction-market accounts. For read-only use, do not configure private keys or trading API keys. If trading is needed, use low-balance or tightly scoped accounts, keep manual confirmation outside the agent, and set exchange-side limits where possible.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
  • Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
  • MCP Least PrivilegeUnderdeclared Capability, Wildcard Permission, Missing Permission Declaration
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
Findings (6)

Lp1

High
Category
MCP Least Privilege
Confidence
98% confidence
Finding
The code reads trading credentials from process.env, but the manifest only declares network access and low cost, not environment/secret access. This creates a capability mismatch that can mislead users and host systems about the skill's true privilege level, especially because the skill can use those secrets to place real-money trades.

Scope Creep

Medium
Confidence
92% confidence
Finding
The skill instructs operators to provide highly sensitive secrets, including private keys, but the declared permissions only describe low-cost network access and do not clearly surface the elevated trust boundary created by credentialed trading. In context, this is more dangerous because the skill enables real-money order execution on external exchanges, so compromise, misuse, or operator misunderstanding could lead to direct financial loss and unauthorized trading.

Context-Inappropriate Capability

Medium
Confidence
92% confidence
Finding
Module initialization automatically loads exchange API keys and private keys at import time, giving the skill credential-handling and trading capability immediately. Even if the stated purpose includes order execution, doing this implicitly expands the attack surface and makes accidental or unauthorized use easier.

Scope Creep

High
Confidence
97% confidence
Finding
The skill accesses host environment secrets without declaring that capability, which undermines permission transparency and enables the agent to act with financial authority not evident from the manifest. In this context, the danger is elevated because the secrets are exchange trading credentials tied to real-money operations.

Missing User Warnings

Medium
Confidence
90% confidence
Finding
The skill requests wallet and exchange private keys without prominently warning about the risks of exposing signing material or the consequences of enabling automated trading. In this context, the danger is elevated because the skill is explicitly designed for order execution, so users may provide irreversible, high-value credentials without adequate notice about theft, misuse, or accidental transaction signing.

Missing User Warnings

Medium
Confidence
95% confidence
Finding
The pmxt_order function directly submits real-money orders with no in-code confirmation, risk acknowledgment, limit checks, or policy gate. In an agent setting, this is especially dangerous because an LLM or upstream workflow could trigger unintended trades from ambiguous prompts, causing immediate financial loss.

VirusTotal

64/64 vendors flagged this skill as clean.

View on VirusTotal