ClawHub

automated agentic perps trading on dex.clutch.market

Security checks across malware telemetry and agentic risk

Overview

The skill is a clearly scoped Clutch Perps trading assistant with disclosed financial-trading and external MCP setup risks, but it includes user approval gates and no evidence of hidden code, exfiltration, or persistence.

Before installing, verify the Clutch MCP npm package and source repository, understand that perps trading can lose funds quickly, and only proceed when the agent presents a specific plan and you explicitly approve the execution steps.

VirusTotal

66/66 vendors flagged this skill as clean.

View on VirusTotal

Risk analysis

Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.

#
ASI02: Tool Misuse and Exploitation
Medium
What this means

If used with a connected trading setup, mistakes or misunderstood instructions could lead to financial loss.

Why it was flagged

The skill is designed to guide live trading and execution workflows, which are high-impact actions, but this is the stated purpose and the instructions include an approval process.

Skill content
Use when users ask for setup, live trade workflows, market checks, order planning, risk setup, or execution on dex.clutch.market
Recommendation

Use only with clear position sizing, leverage limits, TP/SL settings, and an explicit user approval before any execution step.

#
ASI03: Identity and Privilege Abuse
Medium
What this means

A connected agent or MCP server may operate with the user's trading authority, so account permissions and risk limits matter.

Why it was flagged

The workflow assumes access to trading-account context such as margin and position sizing; this is expected for perps trading, but it means any connected MCP or account authority should be treated carefully.

Skill content
Pre-trade checks
- [ ] Margin available
- [ ] Position size confirmed
- [ ] TP/SL confirmed
- [ ] Risk cap confirmed
Recommendation

Connect only accounts or wallets intended for this venue, keep permissions limited where possible, and confirm every trade before execution.

#
ASI04: Agentic Supply Chain Vulnerabilities
Low
What this means

Installing or running the MCP server executes third-party package code on the user's machine.

Why it was flagged

The setup path uses an external npm package executed via npx. The skill provides provenance links and requires consent, but users still rely on the external package source.

Skill content
npx @clutchmarkets/mcp-server init --client <your-client>
Recommendation

Verify the npm package, repository, and version before running npx; prefer a pinned version if available.