ClawHub

BNB Chain trading

Security checks across malware telemetry and agentic risk

Overview

This appears to be a legitimate DeFi trading skill, but it needs review because its BNB-only presentation under-discloses multi-chain wallet approvals and signed order submission.

Install only if you intend to use the Spot/Orbs workflow across all listed EVM chains, not just BNB Chain. Before approving or signing, verify the chain ID, token addresses, verifying contract/spender, recipient, max amount, slippage, deadline, and whether the order can recur. Treat relay submission as sharing signed trading instructions with an external service, and use wallet confirmations plus onchain cancellation/revocation tools carefully.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
  • Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
Findings (5)

Description-Behavior Mismatch

Medium
Confidence
94% confidence
Finding
The addressbook lists many non-BNB chains while the skill is described as a BNB Chain trading skill. Even though the file says SKILL.md is authoritative, an agent or downstream parser may still consume these aliases and route funds, quote prices, or resolve token symbols on unintended chains, creating chain-confusion and misrouting risk.

Missing User Warnings

Medium
Confidence
84% confidence
Finding
The README describes a workflow where users sign orders that authorize ERC-20 spending and execution by an authorized executor, yet it does not prominently warn about trading loss, token approval risk, price movement, execution conditions, or irreversible onchain settlement. In an agent skill context, missing explicit risk disclosures can cause users to delegate trading actions without understanding that signatures may lead to real asset movement and loss under adverse market or integration conditions.

Missing User Warnings

Medium
Confidence
82% confidence
Finding
The skill instructs the agent to transmit signed order payloads to a third-party relay endpoint without an explicit user-facing disclosure or consent checkpoint. Even if the payload is non-custodial, sending signed trading intents over the network can leak sensitive metadata, expose users to privacy risks, and cause unintended order submission if the agent acts without sufficiently explicit authorization.

Missing User Warnings

Medium
Confidence
92% confidence
Finding
This file provides signed relay payload examples and explicitly tells users to copy the nearest shape and replace fields, but it does not warn that signatures are cryptographically bound to specific order contents and must never be reused or blindly preserved after edits. In a trading skill affecting on-chain funds, that omission can mislead users or integrators into submitting malformed, invalid, or dangerously misunderstood payloads, increasing the risk of fund loss, failed trades, or accidental authorization mistakes.

Missing User Warnings

Medium
Confidence
92% confidence
Finding
The documentation explicitly notes that `output.recipient` is dangerous to change away from `swapper`, but it does not require confirmation, constrain the field, or define enforcement checks. In a non-custodial trading skill, allowing arbitrary recipient overrides can redirect trade proceeds to an attacker-controlled address, causing direct asset theft if the agent or upstream caller populates this field unsafely.

VirusTotal

64/64 vendors flagged this skill as clean.

View on VirusTotal