ClawHub

Shekel Hyperliquid Trading

Security checks across malware telemetry and agentic risk

Overview

This is a real crypto trading skill, but it asks the agent to keep a powerful trading key in memory and use broad financial powers that deserve careful review.

Only install this if you are comfortable giving an agent broad control over a crypto trading account. Do not store the API key in agent memory; use a proper secret manager or enter it only when needed. Fund minimally, set strict risk limits, review remote instruction changes, and require explicit confirmation for withdrawals, vault actions, wallet-key export, account deletion, and scheduled trading.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
  • MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
Findings (8)

Description-Behavior Mismatch

Medium
Confidence
87% confidence
Finding
The manifest frames the skill as perpetual futures trading, but the documented capability set also includes public vault discovery and third-party vault deposit/withdraw flows. That mismatch expands the operational and financial scope beyond what a user or host may reasonably expect, increasing the chance of unintended fund movements or authorization overreach.

Description-Behavior Mismatch

Medium
Confidence
97% confidence
Finding
The documentation tells the agent to retrieve persisted API keys from memory and avoid asking the user again, but this credential retention behavior is not disclosed in the manifest's stated purpose. Undeclared secret storage materially changes the skill's trust and privacy profile because the agent becomes a long-term custodian of trading credentials.

Context-Inappropriate Capability

High
Confidence
99% confidence
Finding
These instructions direct the agent to persist a live trading API key in long-term memory and verify later recall. Storing reusable financial credentials in agent memory creates a high-risk secret exposure path through memory leakage, prompt injection, debugging output, backups, or cross-session retrieval.

Missing User Warnings

Medium
Confidence
90% confidence
Finding
The skill normalizes recalling the user's API key from memory without presenting a clear warning that the credential may be retained persistently and reused later. That weakens informed consent and can surprise users who expected ephemeral handling of a highly sensitive trading secret.

Missing User Warnings

High
Confidence
98% confidence
Finding
The instructions tell the agent to write the API key to MEMORY.md and confirm retrieval, but they do not require explicit consent for persistent storage by the agent itself. Even though the user is told to save the key personally, that is not the same as obtaining permission for the system to retain a reusable credential.

Ssd 3

High
Confidence
97% confidence
Finding
Persisting and later reusing a user's trading API key through conversational memory exposes a live credential in a workflow not designed as a hardened secret vault. Any memory disclosure, retrieval bug, or prompt injection could reveal the key and enable unauthorized trading, withdrawals, or account changes.

Ssd 3

Critical
Confidence
99% confidence
Finding
The onboarding checklist explicitly requires saving the returned API key into MEMORY.md and verifying future recall, turning the agent into a durable holder of a high-value financial secret. In this trading context, compromise of that key can directly enable account takeover-like behavior over balances, positions, withdrawals, and destructive account operations.

Ssd 3

Critical
Confidence
99% confidence
Finding
The skill instructs the agent to display the full API key in chat and also save it as a reusable record in memory. Presenting and persisting a full bearer token in plain conversational flow greatly increases exfiltration risk through chat logs, screenshots, browser history, transcript retention, or downstream model access.

VirusTotal

65/65 vendors flagged this skill as clean.

View on VirusTotal