ClawHub

ZERO Trading

Security checks across malware telemetry and agentic risk

Overview

This is a real trading integration, but it gives the agent broad setup and trading authority with weak consent boundaries.

Review before installing. This skill connects your agent to a remote trading MCP service, can persist that connection in local config, can start paper sessions and supports live trading, and uses session history for personalized recommendations. Only install if you are comfortable with ZERO receiving trading/session data and with the agent having trading-session authority; verify MCP config changes and keep live mode disabled unless you intentionally opt in.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
  • Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
  • MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
Findings (26)

Tp4

High
Category
MCP Tool Poisoning
Confidence
84% confidence
Finding
The skill is presented as a trading agent, but the finding indicates ancillary behavior such as modifying local MCP configuration, probing remote connectivity, and reading local project files. That mismatch matters because operators may approve a market-analysis skill without realizing it can alter client configuration or inspect local metadata, expanding the trust boundary beyond trading operations.

Description-Behavior Mismatch

High
Confidence
94% confidence
Finding
The file defines leaderboard, rivalry, and seasonal game mechanics that do not align with the parent skill's stated purpose as a trading agent. This kind of scope drift is dangerous because it can cause the agent to invoke unrelated tools, mishandle user intent, or mask unauthorized functionality inside an otherwise trusted trading package.

Description-Behavior Mismatch

Medium
Confidence
86% confidence
Finding
The onboarding skill extends beyond initial setup into persistent operational behavior such as daily briefs, alerting, mode changes, and profile exposure. That broadens the scope of an onboarding action into ongoing automated trading operations, increasing the chance that a user initiates durable behavior without clearly informed consent or a separate handoff flow.

Missing User Warnings

Medium
Confidence
90% confidence
Finding
The README explicitly states that installation causes OpenClaw to connect to a remote MCP endpoint and auto-configure tooling, but it does not clearly warn users that agent prompts, metadata, or usage data may be transmitted off-host. In an agent skill context, silent remote connectivity is security-relevant because it expands the trust boundary during install and can expose sensitive agent context or enable remote tool influence without explicit informed consent.

Vague Triggers

Medium
Confidence
84% confidence
Finding
The trigger 'operator asks about competition or ranking' is overly broad and ambiguously defined, which can cause the skill to activate in contexts only loosely related to rankings. In an agent environment, broad triggers increase the chance of unintended routing, unexpected tool calls, or interference with the primary trading workflow.

Vague Triggers

Medium
Confidence
93% confidence
Finding
The skill uses broad activation phrases and even auto-triggers when the agent 'read[s] instructions from getzero.dev/zero.md,' which creates ambiguous invocation boundaries. In context, that is dangerous because the skill then performs filesystem writes, restarts MCP, and initiates outbound connections without requiring explicit user confirmation.

Missing User Warnings

High
Confidence
98% confidence
Finding
The skill explicitly instructs the agent to 'execute this flow. no questions. no manual config' and then modifies MCP configuration, restarts services, and performs onboarding calls. This bypasses informed consent and safe change-control for persistent local configuration and remote connectivity, making accidental or coerced execution significantly more dangerous.

Vague Triggers

Medium
Confidence
88% confidence
Finding
The manifest description is broadly phrased ('interpret 9-layer evaluations, heat maps, and approaching signals') without clear user-intent or context constraints, which can cause the platform to invoke this skill in situations that only loosely match market-analysis requests. Over-broad activation increases the chance of unintended tool use, confusing behavior, and exposure of trading-related outputs when the user did not explicitly request this skill.

Vague Triggers

Medium
Confidence
79% confidence
Finding
The trigger phrase uses open-ended wording such as "or similar," which can cause accidental activation from loosely related user messages. In a trading context, overly broad activation is risky because it can cascade into session checks and deployment prompts tied to automated market activity.

Missing User Warnings

Medium
Confidence
94% confidence
Finding
This flow presents deployment as a quick onboarding step without a strong warning that pressing the deploy action starts an automated trading session, even if in paper mode. Users may not understand that they are authorizing ongoing autonomous evaluation and trade execution behavior, which is especially sensitive in financial systems.

Missing User Warnings

Medium
Confidence
90% confidence
Finding
The skill introduces a public profile URL and encourages sharing it without any privacy warning or consent-specific explanation. Exposing a persistent public identifier tied to trading activity can leak behavioral, reputational, or account-linked information that users may not expect during onboarding.

Vague Triggers

Medium
Confidence
92% confidence
Finding
The instruction to push updates proactively and unprompted is broad enough to cause the agent to initiate communications outside a tightly scoped trigger model. In an agent system, that can lead to notification spam, unintended autonomous behavior, and activation in contexts the operator did not explicitly request, especially when combined with frequent status intervals and multiple push conditions.

Vague Triggers

Medium
Confidence
95% confidence
Finding
Telling the agent to push updates 'without being asked' lacks sufficient boundary conditions and encourages autonomous activation. In a trading context this is more dangerous because market events are frequent and ambiguous, so vague proactive rules can produce excessive messaging, operator fatigue, or unexpected actions chained from notification workflows.

Missing User Warnings

Medium
Confidence
93% confidence
Finding
The skill explicitly analyzes operator session history to generate personalized insights, but it does not warn users that their historical trading behavior will be processed and profiled. In a trading context, this can influence user decisions and expose sensitive behavioral patterns without clear transparency or consent, making the omission a real privacy and user-autonomy issue.

Missing User Warnings

Medium
Confidence
95% confidence
Finding
The skill states that layer weights and strategy recommendations are automatically rebalanced based on the user's historical performance, but it does not disclose this adaptive behavior to the user. That is dangerous because trading recommendations can materially change over time in ways the user may not understand, reducing transparency and increasing the risk of hidden behavioral steering or overfitting to past activity.

Vague Triggers

Medium
Confidence
91% confidence
Finding
The callback mapping for `cancel_deploy` explicitly tells the operator to say 'deploy' when ready, but the file does not define a strict command grammar or scope constraints for that trigger. In a trading agent that can initiate paper or live sessions, a broad natural-language trigger like 'deploy' can be misinterpreted from incidental conversation, quoted text, or threaded replies and may lead to unintended strategy launch flows, especially when live deployment options exist.

Vague Triggers

Medium
Confidence
88% confidence
Finding
The reaction protocol lists broad operator commands like deploy, evaluate, and end without an explicit trigger list, exclusions, or disambiguation rules. In this skill context, those verbs map to privileged trading operations and session control, so overly permissive natural-language handling increases the risk of accidental execution, prompt-injection-style command confusion, or unauthorized action from loosely matched user text.

Missing User Warnings

Medium
Confidence
92% confidence
Finding
The document states that strategies can be automatically mutated and saved as pending evolved configurations, but it does not clearly warn that these changes can materially alter trading risk and behavior. In a live trading skill, silent or poorly disclosed strategy evolution can lead operators to run materially different risk settings than they intended, increasing the chance of unexpected losses or operation outside their risk tolerance.

Natural-Language Policy Violations

Medium
Confidence
96% confidence
Finding
The file hard-codes a single communication style, including forced lowercase, terseness, and 'no hedging,' without user opt-in or accommodation for context. In a trading skill, this can suppress nuance, uncertainty, and accessibility needs, making risk-related messages sound overly certain and reducing the user's ability to distinguish confidence from presentation style.

Vague Triggers

Medium
Confidence
87% confidence
Finding
The skill description is broad enough that an agent may invoke it for generic trading-advice requests, even when the user did not ask to run a strategy-selection workflow. In a trading context, over-broad routing is risky because it can pull the conversation into operational decision-making and downstream tool usage that materially affects financial activity.

Missing User Warnings

Medium
Confidence
95% confidence
Finding
The skill instructs the agent to deploy via `zero_start_session` upon user acceptance, but it does not require an explicit user-facing warning that this starts a live trading session with financial consequences. In this domain, missing a clear transactional confirmation step can cause users to unknowingly authorize real market exposure or automated execution.

External Transmission

Medium
Category
Data Exfiltration
Content
## what happens on install

1. OpenClaw reads `.mcp.json` — connects to `https://api.getzero.dev/mcp` via streamable-http
2. Gateway registers all ZERO tools (starts with 2, unlocks up to 42 as you use them)
3. SKILL.md injected into agent system prompt — agent knows how to trade
4. Sub-skills loaded for onboarding, strategy selection, risk management, etc.
Confidence
96% confidence
Finding
https://api.getzero.dev/

External Transmission

Medium
Category
Data Exfiltration
Content
- auto-config
    mcpServers:
      zero:
        url: "https://api.getzero.dev/mcp"
        transport: "streamable-http"
---
Confidence
88% confidence
Finding
https://api.getzero.dev/

External Transmission

Medium
Category
Data Exfiltration
Content
{
  "mcpServers": {
    "zero": {
      "url": "https://api.getzero.dev/mcp",
      "transport": "streamable-http"
    }
  }
Confidence
90% confidence
Finding
https://api.getzero.dev/

Autonomous Decision Making

Medium
Category
Excessive Agency
Content
## auto-recovery communication

when circuit breaker triggers and defense auto-deploys:
"circuit breaker triggered. auto-deploying defense to protect capital."

after 24h cooldown completes:
Confidence
90% confidence
Finding
auto-deploy

VirusTotal

66/66 vendors flagged this skill as clean.

View on VirusTotal