ClawHub

DEX Arbitrage DEX套利

Security checks across malware telemetry and agentic risk

Overview

This paid DEX arbitrage skill is not clearly malicious, but it combines real-money crypto automation with under-scoped billing and risky trading examples that need review before use.

Review this as high-risk financial tooling before installing. Do not use production private keys or funded wallets, do not let an agent sign, bridge, deploy, or execute trades without manual approval, test only on forks or testnets first, verify the SkillPay charge path, and audit any generated contract or bot before live use.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
  • Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
  • Taint TrackingDirect Taint Flow, Variable-Mediated Taint Flow, Credential Exfiltration Chain
  • MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
Findings (14)

Tainted flow: 'user_id' from os.environ.get (line 96, credential/environment) → requests.post (network output)

Critical
Category
Data Flow
Content
返回: {"ok": bool, "balance": float, "payment_url": str|None}
    """
    try:
        resp = requests.post(
            f"{BILLING_API_URL}/api/v1/billing/charge",
            headers=HEADERS,
            json={
Confidence
98% confidence
Finding
resp = requests.post( f"{BILLING_API_URL}/api/v1/billing/charge", headers=HEADERS, json={ "user_id": user_id, "skill_id": SK

Tp4

High
Category
MCP Tool Poisoning
Confidence
95% confidence
Finding
The skill claims to help with DEX arbitrage analysis, but the documented behavior includes external billing through SkillPay, transmission of user identifiers and charge requests to a third party, and generation of deployable flash-loan/arbitrage code that goes beyond simple advisory functionality. This mismatch is dangerous because users and calling systems may grant trust, data, or execution latitude based on the declared purpose, while hidden monetization and undeclared external interactions expand privacy, financial, and supply-chain risk.

Description-Behavior Mismatch

High
Confidence
99% confidence
Finding
The file implements billing enforcement and payment-link generation, but the declared skill is a DEX arbitrage assistant. Such a mismatch is a strong indicator of hidden or undeclared behavior, and in agent skills this is dangerous because users and reviewers may invoke a trading tool that silently performs monetization or payment operations outside its stated purpose.

Context-Inappropriate Capability

Medium
Confidence
96% confidence
Finding
The skill reads SKILLPAY_USER_ID from the environment and uses it as the billing identity, a privileged capability not justified by an arbitrage assistant. Trusting environment-sourced identity without clear provenance can cause misbilling, cross-user confusion, or abuse in shared/runtime-hosted environments.

Context-Inappropriate Capability

High
Confidence
98% confidence
Finding
The skill can initiate charge requests and generate payment links, capabilities unrelated to its declared arbitrage purpose. In context, this makes the code more dangerous because it introduces hidden financial side effects and external payment interactions that users would not reasonably expect from an analytics/trading assistant.

Description-Behavior Mismatch

Medium
Confidence
91% confidence
Finding
This section goes beyond defensive MEV mitigation and gives operational guidance that can be used to race competitors, submit private bundles, and front-run other arbitrageurs. In the context of an arbitrage skill, that materially increases the likelihood the content will be used for adversarial market manipulation rather than purely defensive education.

Intent-Code Divergence

Low
Confidence
97% confidence
Finding
The closing line explicitly reframes MEV from something to defend against into something users may 'even use,' which normalizes exploitative behavior and contradicts the document's safety framing. In a DEX arbitrage assistant, that language can encourage misuse by users seeking offensive MEV strategies.

Intent-Code Divergence

Medium
Confidence
97% confidence
Finding
This is a real issue in the generated Aave contract: `MIN_PROFIT` is declared as a `constant`, so `setMinProfit` cannot update it despite the function name and documentation implying that it does. In a flash-loan arbitrage context, operators may believe they can raise or lower the threshold in response to market conditions, but the contract will continue using the baked-in value, causing unexpected executions, missed safeguards, or loss-making trades if users rely on the setter.

Missing User Warnings

Medium
Confidence
97% confidence
Finding
The skill charges the user automatically at skill start via verify_payment/require_payment, without an explicit consent step in this file. In a non-billing skill, silent charging is especially dangerous because users may trigger financial actions merely by invoking what appears to be an arbitrage assistant.

Missing User Warnings

Medium
Confidence
91% confidence
Finding
This section shows code for wallet creation, transaction signing, and on-chain swap construction without any warning that these actions can spend real funds, fail irreversibly, or expose users to slippage, MEV, and RPC risk. In an arbitrage skill, users are especially likely to operationalize snippets quickly, so omission of safety guidance materially increases the chance of financial loss.

Missing User Warnings

Medium
Confidence
95% confidence
Finding
The deployment example invokes a live `forge create` command with `--private-key $PK` and a public RPC endpoint, but provides no warning that this will broadcast a real deployment and consume funds immediately. In a trading/arbitrage context, readers may copy-paste this into production-like workflows, making accidental key misuse and unintended mainnet deployment more likely.

Missing User Warnings

Medium
Confidence
92% confidence
Finding
The guide includes concrete bridge-deposit code and recommends bridge usage for arbitrage without clearly warning that cross-chain transfers can be delayed, fail, or become economically unprofitable during execution. In a trading skill focused on rapid arbitrage, users may over-trust the example and initiate irreversible transfers while exposed to bridge risk, slippage, price movement, and smart-contract compromise.

Missing User Warnings

Medium
Confidence
95% confidence
Finding
The automation section provides monitoring and execution workflow for cross-chain arbitrage but does not include strong warnings about automated trade execution risking user funds, repeated loss loops, incorrect threshold logic, API/oracle errors, or chain/bridge failures. Because this skill is specifically about DEX arbitrage and automation, omission of those safeguards makes the content more dangerous: users are more likely to operationalize it directly with real capital.

Natural-Language Policy Violations

Medium
Confidence
95% confidence
Finding
This finding is substantiated by both the explicit '甚至利用它' language and earlier competitive tactics such as raising gas, bribing via tips, and front-running rival arbitrageurs. The skill's arbitrage context makes such promotion more dangerous because it aligns directly with high-risk, potentially abusive trading behavior.

VirusTotal

VirusTotal findings are pending for this skill version.

View on VirusTotal