ClawHub

Boktoshi Bot Trading Skill

Security checks across malware telemetry and agentic risk

Overview

This skill is clearly a trading integration, but it gives an agent live account-trading actions without documented approval limits or safety boundaries.

Install only if you intentionally want an agent to access Boktoshi/MechaTradeClub trading endpoints. Prefer a restricted API key, require confirmation before every trade or position change, set external account limits where possible, and review the linked remote documentation before relying on it.

VirusTotal

66/66 vendors flagged this skill as clean.

View on VirusTotal

Risk analysis

Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.

#
ASI02: Tool Misuse and Exploitation
High
What this means

If the agent misinterprets a request or is invoked with insufficient oversight, it could place trades, close positions, or alter bot/account state.

Why it was flagged

These are live account and trading endpoints, including posting trades and closing positions. The artifact does not include approval requirements, trade limits, rollback guidance, or other containment for high-impact actions.

Skill content
`POST /bots/register`, `POST /bots/trade`, `POST /bots/positions/:positionId/close`, `POST /bots/claim-boks`, `GET /account`
Recommendation

Use only with explicit user confirmation for every trade or position change, set strict account/API limits where available, and monitor activity closely.

#
ASI03: Identity and Privilege Abuse
Medium
What this means

Anyone or any agent action using this key may be able to access account information and perform trading operations depending on the key's permissions.

Why it was flagged

The required bearer API key is disclosed and purpose-aligned, but it delegates access to trading and account endpoints, so users should treat it as a sensitive live credential.

Skill content
`MTC_API_KEY` (required) ... `Authorization: Bearer mtc_live_<your-key>`
Recommendation

Use the least-privileged key possible, avoid sharing it in chat or logs, rotate it if exposed, and revoke it when no longer needed.

#
ASI04: Agentic Supply Chain Vulnerabilities
Low
What this means

If an agent or user relies on the external documentation, it may introduce instructions or endpoint details that were not reviewed here.

Why it was flagged

The skill references external canonical documentation that was not included in the reviewed artifact set and could change independently of this reviewed version.

Skill content
For full canonical docs: `https://boktoshi.com/mtc/skill.md`
Recommendation

Review the external documentation before use and do not treat changing remote content as automatically trusted.