Back to skill

Security audit

SeeSaw Claw

Security checks across malware telemetry and agentic risk

Overview

This is a real SeeSaw trading skill, but it needs Review because it can make live financial and public account actions automatically using stored credentials.

Install only if you are comfortable granting SeeSaw credentials that can trade and modify account or market state. Set dry_run to true before running automation, avoid --yes or unattended execution unless live actions are intended, review third-party data sharing to Brave/Gemini/Slack, and treat the /tmp token cache as a credential-risk item to fix or monitor.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
  • Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
Findings (9)

Missing User Warnings

Medium
Confidence
96% confidence
Finding
The documentation explicitly instructs users to store API credentials in plaintext within `~/.openclaw/openclaw.json` and to pass secrets on the command line. Both practices can expose credentials through filesystem access, backups, shell history, process listings, and logging, which can lead to unauthorized access to the SeeSaw account or API actions. In this skill context, the risk is heightened because these are live service credentials and the document presents the insecure handling as the normal setup flow without any warning or safer alternative.

Missing User Warnings

Medium
Confidence
92% confidence
Finding
The documentation exposes direct buy, sell, claim, follow, block, and other account-modifying commands without a prominent warning that they can trigger real financial transactions or irreversible account actions. In an agent-skill context, this increases the risk that a user or automated agent invokes these commands without understanding the consequences, leading to unintended trades or account changes.

Missing User Warnings

High
Confidence
97% confidence
Finding
The skill advertises automated workflows for opening, adjusting, asserting, settling, and claiming positions, but does not provide a strong warning that these scripts can autonomously execute market actions using live credentials. This is especially risky because the documentation frames automation as normal operation, and notes that some guardrails like max_daily_loss are not fully implemented, increasing the chance of financial loss or unauthorized autonomous behavior.

Missing User Warnings

Medium
Confidence
97% confidence
Finding
This script performs real financial actions—settling completed markets and later buying or selling positions—based on external news and LLM output without any explicit user confirmation or hard approval gate. In a trading context, this is dangerous because model mistakes, malformed news, prompt injection in retrieved content, or simple misconfiguration can directly trigger unwanted asset movements and financial loss.

Missing User Warnings

Medium
Confidence
84% confidence
Finding
The script performs autonomous market-affecting actions by using search results and LLM output to assert outcomes or post comments, without an explicit approval gate at the point of action. In this context, that can cause unauthorized or incorrect assertions, reputational damage, and manipulation of market state if the LLM or fetched news is wrong, incomplete, or prompt-influenced.

Missing User Warnings

Medium
Confidence
91% confidence
Finding
Market titles, descriptions, options, and retrieved news are forwarded to external web search and LLM services, which can leak sensitive business context or proprietary trading activity to third parties. Because the returned LLM output directly influences whether the script places a real trade, this also creates an indirect prompt-injection and untrusted-decision risk in a high-impact financial workflow.

Missing User Warnings

Medium
Confidence
96% confidence
Finding
The code persists the bearer token to /tmp/seesaw_token.json without setting restrictive permissions, encryption, or ownership checks. On multi-user systems or shared environments, files under /tmp are a common target for token theft, symlink attacks, or unintended cross-user access, which could let another local actor reuse the session token to perform authenticated actions.

Missing User Warnings

Medium
Confidence
90% confidence
Finding
The call_llm function transmits full message contents to an external Gemini API without any local consent, redaction, or sensitivity checks. In an agent skill context, prompts and message histories often contain workspace data, secrets, or user content, so this can cause unintended third-party disclosure.

Missing User Warnings

Medium
Confidence
88% confidence
Finding
The send_slack_message helper sends arbitrary text to Slack using stored credentials, but this file provides no approval, content filtering, or disclosure beyond dry-run support. In a skill environment, that creates a realistic risk of leaking sensitive operational data or user content to an external messaging platform.

VirusTotal

65/65 vendors flagged this skill as clean.

View on VirusTotal

Static analysis

No suspicious patterns detected.