ClawHub

Upbit Trading Skill

Security checks across malware telemetry and agentic risk

Overview

This looks like an Upbit crypto monitoring/trading skill, but it needs Review because it asks for exchange credentials while relying on an unbundled shell helper and overstating implemented trading features.

Review carefully before installing. Use a dedicated least-privilege Upbit key, preferably read-only unless you have confirmed live trading code and explicitly want it; do not grant withdrawal permission. Inspect or remove the ../zai/ask.sh dependency before running, because it is not included in the reviewed artifact and may receive position and strategy details. Treat this as a signal/monitoring bot unless the publisher documents and ships actual order execution and Telegram behavior.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • MCP Least PrivilegeUnderdeclared Capability, Wildcard Permission, Missing Permission Declaration
  • MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
Findings (4)

Lp3

Medium
Category
MCP Least Privilege
Confidence
91% confidence
Finding
The skill declares no permissions even though it clearly requires environment-variable access for API keys and network access to communicate with Upbit and optionally a GLM API. Missing permission disclosure is dangerous because users and platforms cannot accurately assess the skill’s access needs, reducing informed consent and weakening policy enforcement around sensitive capabilities.

Tp4

High
Category
MCP Tool Poisoning
Confidence
88% confidence
Finding
The documented behavior does not fully match the observed capabilities: it advertises automated trading, but code behavior reportedly includes balance access and local persistence of positions/events/logs, while actual trading behavior may differ. This mismatch is risky in a financial skill because users may grant exchange credentials or rely on the bot under false assumptions about whether it can trade, monitor funds, or retain sensitive operational data.

Missing User Warnings

Medium
Confidence
94% confidence
Finding
Advertising automated real-time trading without an explicit financial-risk warning is unsafe because users may deploy it against live funds without understanding the potential for rapid losses, volatile execution, or model error. In the context of a trading bot, omission of a live-funds warning materially increases harm because the system is positioned to influence or execute market decisions.

Missing User Warnings

Medium
Confidence
95% confidence
Finding
The setup requests Upbit API credentials but does not warn users to protect the keys, restrict scopes, or avoid overprivileged API access. In a financial integration, poor key-handling guidance can directly lead to credential theft or misuse that exposes balances, account data, or trading authority over user funds.

VirusTotal

65/65 vendors flagged this skill as clean.

View on VirusTotal