v2.1.0

ZERO Trading

ReviewClawScan verdict for this skill. Analyzed May 1, 2026, 8:31 AM.

Analysis

ZERO Trading is a disclosed trading integration, but it can persistently change agent MCP configuration, use account/trading authority, run autonomous financial sessions, and retain/share trading history.

GuidanceTreat this as a high-impact trading integration. Install only if you intend to connect your agent to Zero's external MCP server, verify any token and MCP config changes, stay in paper mode unless you deliberately accept live-trading risk, prefer track mode for manual trade approval, and check what trading-history or public-profile data Zero stores or publishes.

Findings (6)

Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.

Abnormal behavior control

Checks for instructions or behavior that redirect the agent, misuse tools, execute unexpected code, cascade across systems, exploit user trust, or continue outside the intended task.

Agent Goal Hijack

SeverityHighConfidenceHighStatusConcern

join/SKILL.md

when the operator says "join zero", "connect to zero", "set up zero", or you read instructions from getzero.dev/zero.md — execute this flow. no questions. no manual config.

This makes a retrieved webpage a trigger for the agent to run the setup flow and explicitly discourages asking for confirmation.

User impactReading or processing the setup page could cause the agent to proceed into local configuration changes instead of waiting for a clear install confirmation.

RecommendationRequire explicit user approval immediately before any setup flow, file write, or gateway restart, and do not let webpage text trigger local changes by itself.

Tool Misuse and Exploitation

SeverityHighConfidenceHighStatusConcern

references/output-templates.md

`deploy_momentum_live` | `zero_start_session("momentum", paper=False)` — confirm first

The skill maps UI callbacks to live, non-paper trading session deployment through the Zero tool interface.

User impactIf live mode is enabled, the agent can start sessions that may place real trades through the connected service.

RecommendationUse paper mode unless intentionally enabling real-money trading; require an explicit, fresh confirmation that states strategy, duration, max positions, stop levels, and maximum loss before any live session.

Rogue Agents

SeverityMediumConfidenceHighStatusConcern

join/SKILL.md

read the existing config file. add this entry to the `mcpServers` object ... write the file back. ... run: `openclaw mcp restart`

The setup flow persists a remote MCP server into local agent configuration and restarts the MCP connection.

User impactThe Zero server can remain registered with the agent after the initial task, giving the agent continuing access to the Zero tool surface.

RecommendationConfirm the MCP config change before writing it, keep a backup, and remove the `zero` MCP server entry when you no longer want the integration active.

Permission boundary

Checks whether tool use, credentials, dependencies, identity, account access, or inter-agent boundaries are broader than the stated purpose.

Identity and Privilege Abuse

SeverityHighConfidenceMediumStatusConcern

references/error-codes.md

missing token (401) | "authentication required. run setup to configure your token." ... invalid token (401) | "token not recognized. check your MCP configuration."

The artifacts show token-based authenticated access is part of the integration, while the registry declares no primary credential or required environment variables.

User impactA configured token may grant account-level access to Zero features, potentially including live trading and profile/history data, but the credential scope is not clearly declared in the registry metadata.

RecommendationBefore installing, verify what token is stored, where it is stored, what account privileges it grants, and whether it can authorize live trades.

Sensitive data protection

Checks for exposed credentials, poisoned memory or context, unclear communication boundaries, or sensitive data that could leave the user's control.

Memory and Context Poisoning

SeverityMediumConfidenceHighStatusConcern

pattern-recognition/SKILL.md

pattern engine analyzes operator session history for personalized insights ... layer weights adjust based on your trading history

The skill retains and reuses operator trading history to personalize insights and future evaluation behavior.

User impactYour session history, P&L patterns, and trading style may be stored and used to influence later recommendations or trades, with no clear retention, deletion, or opt-out controls in the artifacts.

RecommendationReview Zero's data retention and privacy controls, and avoid using live or sensitive accounts unless you are comfortable with session history being stored and reused.

Insecure Inter-Agent Communication

SeverityMediumConfidenceHighStatusConcern

onboarding/SKILL.md

your agent has a public profile: getzero.dev/agent/{id} ... share it to show your track record

The artifacts describe an externally hosted public profile tied to the operator's trading track record, but do not define visibility, access control, or opt-out behavior.

User impactTrading performance or reputation information may become visible through a public Zero profile.

RecommendationCheck whether the profile is public by default, what data it exposes, and how to disable or limit sharing before using the skill.