ClawHub

MoneySharks

Security checks across malware telemetry and agentic risk

Overview

MoneySharks is openly a real-money autonomous leveraged trading skill, but its live trading authority and emergency controls are broad enough that users should review it carefully before installing.

Install only if you intentionally want an autonomous real-money leveraged futures bot. Start in paper mode, use exchange API keys with the narrowest possible permissions and small limits, do not override ASTER_BASE_URL unless you fully trust the endpoint, and enable cron/autonomous_live only after reviewing the generated config, risk caps, and halt behavior.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
  • Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
  • Taint TrackingDirect Taint Flow, Variable-Mediated Taint Flow, Credential Exfiltration Chain
  • MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
Findings (22)

Tainted flow: 'req' from os.getenv (line 94, credential/environment) → urllib.request.urlopen (network output)

Critical
Category
Data Flow
Content
url = BASE_URL + path
                req = urllib.request.Request(url, data=body, headers=headers, method=method)

            with urllib.request.urlopen(req, timeout=20) as resp:
                return json.loads(resp.read().decode())

        except urllib.error.HTTPError as e:
Confidence
96% confidence
Finding
with urllib.request.urlopen(req, timeout=20) as resp:

Intent-Code Divergence

Medium
Confidence
95% confidence
Finding
Labeling the Aster client as 'read-only' while documenting private write operations such as setting leverage, placing orders, cancelling orders, and closing positions is materially misleading. In a financial automation skill, this can cause operators or reviewers to underestimate that the component has full trading authority, increasing the chance of unsafe deployment with real credentials.

Intent-Code Divergence

High
Confidence
92% confidence
Finding
The documentation instructs emergency-stop logic to invoke destructive trading actions through an object named `aster_readonly_client`, which is a dangerous trust-boundary mismatch. In an autonomous live-trading skill, this ambiguity can cause developers or the agent runtime to grant write-capable methods to a supposedly read-only client, undermining least privilege and making emergency paths capable of unauthorized order cancellation or position closure.

Intent-Code Divergence

High
Confidence
91% confidence
Finding
The file explicitly requires operator approval before any external order submission, while the skill metadata promises zero per-trade approval and fully autonomous live trading. This discrepancy is dangerous because downstream agents or operators may rely on the more permissive manifest and enable real-money trading under false assumptions, leading to unsafe deployment, bypassed oversight expectations, or incorrect control design in a high-risk financial context.

Description-Behavior Mismatch

Medium
Confidence
88% confidence
Finding
The documented flow only supports generating execution-ready proposals and halts at PENDING_APPROVAL, which materially differs from the advertised capability of autonomous continuous live trading. In a trading skill handling real funds, this kind of capability mismatch can cause unsafe integration decisions, operator misunderstanding, and incorrect trust in what controls are or are not present.

Intent-Code Divergence

Medium
Confidence
95% confidence
Finding
The script may reuse scan-derived quantity, stop loss, and take profit while emitting a caller-supplied side that can disagree with the scan's directional assumptions. In a live trading context, that can invert risk controls so that protective levels are placed on the wrong side of the market, potentially causing immediate losses, failed order placement, or unintended exposure.

Intent-Code Divergence

High
Confidence
99% confidence
Finding
The file name, module description, and CLI usage frame this component as a read-only client, but the exposed commands include leverage changes and order cancellation, and the module also contains order placement primitives. That mismatch is dangerous because operators, orchestrators, or higher-level agents may invoke it under the false assumption that it cannot mutate a live trading account, leading to unauthorized or accidental destructive actions.

Intent-Code Divergence

Medium
Confidence
92% confidence
Finding
The code structure labels one section as private reads while the same 'readonly' client later implements leverage changes, order placement, bracket execution, cancellations, and position closing. This kind of misleading trust boundary increases the chance that downstream code review, permissioning, or agent policy treats the module as low-risk even though it can execute real-money trades.

Intent-Code Divergence

Medium
Confidence
98% confidence
Finding
The flatten logic appears to choose the wrong closing side: for a positive position amount it sets side='BUY' and for a negative amount it sets side='SELL', which would typically increase exposure instead of closing it. In an autonomous live-trading skill handling real funds without per-trade approval, this can amplify losses during an emergency halt and directly defeat the safety purpose of the command.

Intent-Code Divergence

Medium
Confidence
87% confidence
Finding
The docstring assures users that prompted credentials will not be written to config.json, but the code also places those secrets into the current process environment, where they may persist for the remainder of execution and be inherited by child processes. This is not equivalent to writing them to config.json, but it is still sensitive credential handling that contradicts the reassuring message and can mislead users about exposure.

Vague Triggers

Medium
Confidence
89% confidence
Finding
Emergency trigger phrases like 'stop trading', 'kill switch', or 'cancel all orders' are broad enough to be matched during ordinary conversation, summaries, or quoted text. In an autonomous always-on trading system, accidental activation could halt trading, cancel protective orders, or flatten positions unexpectedly, causing financial loss or leaving positions unmanaged.

Vague Triggers

Medium
Confidence
94% confidence
Finding
The documented halt phrases include extremely generic commands like 'stop trading' and 'emergency stop'. In a conversational agent, broad natural-language triggers can be invoked accidentally by unrelated user discussion, quoted text, or prompt-injected content, causing unauthorized denial of service against the trading bot at sensitive moments.

Missing User Warnings

Medium
Confidence
93% confidence
Finding
The document explicitly states that in `autonomous_live` mode no proposal is generated and no user confirmation is requested before routing orders to the live execution adapter. In a real-money perpetual futures trading skill, removing per-trade approval materially increases the chance of rapid financial loss from model error, misconfiguration, compromise, or unexpected market conditions, and the file does not add strong compensating controls or a prominent risk warning in this execution path.

Missing User Warnings

Medium
Confidence
91% confidence
Finding
The documentation instructs direct execution in `live` and `autonomous_live` modes but does not pair that guidance with a prominent warning that real funds may be placed at risk automatically. In the context of a fully autonomous perpetual futures trading skill, this omission materially increases the chance of unsafe deployment or operator misunderstanding, leading to unintended real-money trades and losses.

Missing User Warnings

Medium
Confidence
93% confidence
Finding
The playbook explicitly instructs the agent in `autonomous_live` mode to bypass any approval step and immediately submit real-money orders. In a trading skill with perpetual futures and continuous operation, removing the last interactive control materially increases the chance of unauthorized, mistaken, or runaway execution if the strategy, configuration, or surrounding controls fail.

Missing User Warnings

Medium
Confidence
89% confidence
Finding
This documentation explicitly authorizes fully autonomous live trading with no per-trade user confirmation and persistent state/trade writes, but the referenced section does not prominently warn that it can place real-money orders continuously and modify operational state. In a financial trading skill, that omission is dangerous because users or integrators may enable autonomous mode without fully appreciating the immediacy, financial loss potential, and persistent side effects of the system.

Missing User Warnings

High
Confidence
98% confidence
Finding
The CLI exposes live trading mutations such as set_leverage and cancel_all directly, with no confirmation prompt, dry-run mode, or warning that these actions affect real funds. In an autonomous trading skill, this sharply raises the risk of accidental invocation by users, scripts, or agents and can immediately alter risk posture or remove protective orders.

Missing User Warnings

High
Confidence
97% confidence
Finding
Functions like place_order, close_position_market, place_bracket, cancel_order, and cancel_all_orders perform immediate live account mutations, yet the module presents itself as a general client without strong in-code disclosure or safety interlocks. In the context of a fully autonomous perpetual futures trading skill, hidden mutation capability is especially dangerous because a planner or caller may route untrusted or poorly validated inputs into real-money trades and liquidating actions.

Missing User Warnings

Medium
Confidence
91% confidence
Finding
This code autonomously cancels existing stop orders, places new live STOP_MARKET orders, and persists updated state with no just-in-time user confirmation or execution-time warning. In the context of a fully autonomous real-money trading agent, that materially increases the chance of unauthorized, unexpected, or misconfigured order changes causing direct financial loss.

Missing User Warnings

High
Confidence
97% confidence
Finding
The adapter executes real leveraged bracket orders immediately whenever mode is set to autonomous_live, with no execution-time confirmation, challenge, or secondary authorization. In a trading skill explicitly designed for continuous real-money operation, this creates a direct path from input payload to live market execution, so any upstream prompt injection, logic error, or compromised caller can trigger irreversible financial actions.

Natural-Language Policy Violations

Medium
Confidence
88% confidence
Finding
The module documentation explicitly advertises a no-approval mode that places live orders immediately, which signals an intended unsafe operating model rather than an incidental bug. While the docstring itself does not execute trades, it reflects and reinforces a design that bypasses human confirmation for high-risk financial actions, increasing the likelihood the feature is invoked without adequate safeguards.

Missing User Warnings

High
Confidence
98% confidence
Finding
In autonomous_live mode, the code explicitly sets require_human_approval to False and can open and close real positions automatically. Because this skill is specifically designed for continuous real-money trading, any bad signal, compromised upstream component, misconfiguration, or prompt-manipulated decision input can immediately trigger unauthorized financial actions without a contemporaneous user confirmation checkpoint.

VirusTotal

66/66 vendors flagged this skill as clean.

View on VirusTotal