ClawHub

tradr

Security checks across malware telemetry and agentic risk

Overview

tradr is a disclosed crypto trading automation skill, but it needs Review because it can run persistent live buy/sell automation with limited consent boundaries and sensitive notification behavior.

Install only if you intentionally want automated crypto trading through Bankr. Use an isolated wallet with limited funds, review position-size caps and exit rules, prefer a user-scoped service, disable notifications or verify the Telegram routing before adding secrets, and do not expose the dashboard API publicly without authentication and redaction.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
  • Rogue AgentSelf-Modification, Session Persistence
  • Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
  • Behavioral ASTexec() Call, eval() Call, Dynamic Import
Findings (13)

subprocess module call

Medium
Category
Dangerous Code Execution
Content
env = os.environ.copy()
        env["BANKR_ALLOW_TRADE"] = "1"  # Bypass trade guard for mechanical pipeline
        env["BANKR_ALLOW_SELL"] = "1"   # Legacy sell override
        result = subprocess.run(
            [BANKR_SH, prompt],
            capture_output=True, text=True, timeout=330,
            env=env,
Confidence
96% confidence
Finding
result = subprocess.run( [BANKR_SH, prompt], capture_output=True, text=True, timeout=330, env=env, )

subprocess module call

Medium
Category
Dangerous Code Execution
Content
script = os.path.expanduser(NOTIFY_SCRIPT)
        if os.path.exists(script):
            try:
                subprocess.run([script, level, notify_type, text], capture_output=True, timeout=15)
            except Exception as e:
                log.warning("Notification script failed: %s", e)
Confidence
87% confidence
Finding
subprocess.run([script, level, notify_type, text], capture_output=True, timeout=15)

subprocess module call

Medium
Category
Dangerous Code Execution
Content
script = os.path.expanduser(script)
        if os.path.exists(script):
            try:
                subprocess.run([script, level, notify_type, text], capture_output=True, timeout=15)
            except Exception as e:
                log.warning("Notification script failed: %s", e)
Confidence
88% confidence
Finding
subprocess.run([script, level, notify_type, text], capture_output=True, timeout=15)

Lp3

Medium
Category
MCP Least Privilege
Confidence
94% confidence
Finding
The skill explicitly documents capabilities to execute shell commands, write files, access network resources, and read environment-backed configuration, yet the metadata declares no permissions. This creates a permission-model bypass at the documentation/interface level: users and orchestrators may trust the skill as low-privilege while it performs high-impact actions such as trade execution, service installation, and file modification.

Intent-Code Divergence

Medium
Confidence
97% confidence
Finding
The script behavior contradicts its own routing comment: `buy` notifications are sent to both DM and broadcast, not DM-only. In a trading skill, buy messages can reveal active positions, strategy timing, or token targets to a broader audience than intended, creating confidentiality and frontrunning risks if operators rely on the documented behavior.

Context-Inappropriate Capability

Medium
Confidence
95% confidence
Finding
Allowing a configurable local script to run during trade handling is a genuine code-execution primitive if an attacker can influence config or the referenced file. In an agent skill context, this is more dangerous because notifications may fire automatically on attacker-influenced token names or responses, turning normal workflow into repeated execution of untrusted local code.

Context-Inappropriate Capability

Medium
Confidence
97% confidence
Finding
The code explicitly copies the environment and sets BANKR_ALLOW_TRADE=1 to bypass a downstream trade guard before executing Bankr. This weakens a safety control designed to prevent unintended trades, and in an automated on-chain trading skill that directly handles asset purchases, bypassing the guard materially increases the chance of unauthorized or unsafe trade execution.

Missing User Warnings

Medium
Confidence
89% confidence
Finding
The skill is designed for live on-chain trading with automatic buy, monitor, and sell behavior, and it instructs users to start a persistent exit-manager service. Without an explicit high-visibility warning that these actions can spend real funds, incur irreversible losses, and continuously act on market data, users may trigger destructive financial operations unintentionally.

Missing User Warnings

Medium
Confidence
92% confidence
Finding
The dashboard guidance instructs operators to expose API endpoints serving positions, trade history, and full config contents, but it does not warn that this data can reveal wallet addresses, strategy parameters, infrastructure details, RPC endpoints, and possibly other sensitive operational metadata. If exposed without authentication or filtering, it can leak trading behavior and make the operator a target for surveillance, strategy copying, or infrastructure abuse.

Missing User Warnings

High
Confidence
99% confidence
Finding
The daemon is explicitly designed to perform autonomous sells and forcibly disables trade protections via BANKR_ALLOW_TRADE and BANKR_ALLOW_SELL. In the context of an on-chain trading skill, this is especially dangerous because any bad config, poisoned position data, or upstream manipulation can cause irreversible asset liquidation without user confirmation.

Missing User Warnings

Medium
Confidence
86% confidence
Finding
The script writes and enables a persistent systemd service that will autonomously manage trading exits, but it does so immediately without an explicit confirmation prompt or prominent safety warning about ongoing automated on-chain actions. In the context of a trading skill, persistence is expected, but silently installing background automation increases the chance of unintended financial activity if the config is incomplete, wrong, or later modified.

Session Persistence

Medium
Category
Rogue Agent
Content
mkdir -p "$UNIT_DIR"
    echo "$UNIT" > "$UNIT_DIR/$SERVICE_NAME.service"
    systemctl --user daemon-reload
    systemctl --user enable "$SERVICE_NAME"
    echo "✓ Installed as user service"
    echo "  Start: systemctl --user start $SERVICE_NAME"
    echo "  Status: systemctl --user status $SERVICE_NAME"
Confidence
88% confidence
Finding
systemctl --user enable

Session Persistence

Medium
Category
Rogue Agent
Content
if [ -w "$UNIT_DIR" ] || [ "$(id -u)" -eq 0 ]; then
        echo "$UNIT" > "$UNIT_FILE"
        systemctl daemon-reload
        systemctl enable "$SERVICE_NAME"
        echo "✓ Installed as system service"
        echo "  Start: sudo systemctl start $SERVICE_NAME"
        echo "  Status: sudo systemctl status $SERVICE_NAME"
Confidence
91% confidence
Finding
systemctl enable

VirusTotal

49/49 vendors flagged this skill as clean.

View on VirusTotal