ClawHub

XT Exchange

Security checks across malware telemetry and agentic risk

Overview

This looks like a real XT.COM trading skill, but it asks agents to handle powerful exchange credentials in ways that can expose secrets and enables live financial actions.

Install only if you trust the publisher and intend to let an agent access your XT.COM account. Use least-privilege API keys, disable withdrawals unless needed, avoid storing secrets in plaintext files, do not let the agent print or cat credentials, and require explicit confirmation for every trade, transfer, cancellation, or withdrawal.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
  • MCP Least PrivilegeUnderdeclared Capability, Wildcard Permission, Missing Permission Declaration
  • MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
Findings (5)

Lp3

Medium
Category
MCP Least Privilege
Confidence
88% confidence
Finding
The skill declares access to environment variables and performs network-capable exchange operations, but does not declare corresponding permissions. This creates a transparency and consent problem: users may invoke a trading skill without clear notice that it can access API credentials and contact external services on their behalf.

Missing User Warnings

Medium
Confidence
95% confidence
Finding
The trading subcommands execute real order placement and cancellation immediately, with no confirmation prompt, dry-run mode, or explicit warning that these are live actions. In a conversational agent or CLI context, this materially increases the risk of accidental destructive financial operations from user error, ambiguous prompts, or automation mistakes.

Missing User Warnings

High
Confidence
96% confidence
Finding
The CLI exposes destructive actions such as buy, sell, transfer, withdraw, cancel, and cancel_all directly from parsed arguments and executes them immediately with no confirmation prompt, dry-run, or explicit risk acknowledgement. In an agent or conversational setting, a mistaken invocation, prompt injection, or parameter mix-up could lead to irreversible financial loss, especially for withdrawals and market orders.

Credential Access

High
Category
Privilege Escalation
Content
脚本优先读取以下凭证(按优先级):

1. **环境变量**(推荐):`XT_ACCESS_KEY` + `XT_SECRET_KEY`
2. **本地文件**:`~/.xt-exchange/credentials.json`

在执行需要认证的操作前,先检查凭证是否存在:
Confidence
93% confidence
Finding
credentials.json

Credential Access

High
Category
Privilege Escalation
Content
若两者均未设置,引导用户:

> 「需要 API Key 才能进行账户操作。请在 XT.COM 的 API 管理页面创建 Key,设置环境变量 XT_ACCESS_KEY 和 XT_SECRET_KEY,或将其保存到 ~/.xt-exchange/credentials.json。」

## 安装 Python 依赖
Confidence
84% confidence
Finding
credentials.json

VirusTotal

64/64 vendors flagged this skill as clean.

View on VirusTotal