ClawHub

Aion Skill Builder

Security checks across malware telemetry and agentic risk

Overview

This is a trading-skill generator, but it is packaged like a narrower Polymarket trader and asks for sensitive credentials, so it needs careful review before installation.

Install only if you intend to use a developer tool that generates AION trading-skill templates. Do not provide a real wallet private key, use limited or test credentials, assume strategy text is sent to OpenAI, and manually review generated skill.py and clawhub.json before running, publishing, or enabling recurring automation.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
  • Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
  • MCP Least PrivilegeUnderdeclared Capability, Wildcard Permission, Missing Permission Declaration
  • MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
Findings (15)

Lp3

Medium
Category
MCP Least Privilege
Confidence
86% confidence
Finding
The skill documentation indicates capabilities related to environment-variable access and file creation, but it does not declare permissions or clearly scope those actions. In a generator skill, undeclared access to credentials and the ability to write files is security-relevant because users may expose API keys or scaffold executable artifacts without realizing the trust boundary.

Tp4

High
Category
MCP Tool Poisoning
Confidence
97% confidence
Finding
The manifest advertises a Polymarket thesis trader, but the described behavior is a code-generating builder that uses an LLM and writes multiple project files. This mismatch is dangerous because users may grant trust and credentials expecting market analysis/trading behavior, while the skill actually performs broad code/document generation with a much larger attack surface.

Description-Behavior Mismatch

High
Confidence
98% confidence
Finding
The manifest description says this is a thesis-trading skill, but the content describes a tool that generates other skills from natural-language prompts. Security-sensitive review depends on accurate identity and purpose; disguising a generator as a trader can bypass user scrutiny and cause users to expose secrets or run generated code they did not intend to trust.

Intent-Code Divergence

High
Confidence
95% confidence
Finding
The title and body directly contradict the advertised manifest purpose, indicating misleading packaging. In security terms, contradictory documentation increases the chance of unsafe use because operators may rely on the shorter manifest summary while overlooking that the skill is actually a broad builder capable of creating executable trading-related assets.

Description-Behavior Mismatch

High
Confidence
98% confidence
Finding
The file's actual behavior is a code-generation CLI that scaffolds new skills, not a Polymarket thesis trading skill as described in the metadata. This mismatch can mislead reviewers and users about the capabilities and trust boundary of the artifact, increasing the chance that code-generation and file-writing behavior is executed where only market-trading logic was expected.

Context-Inappropriate Capability

Medium
Confidence
90% confidence
Finding
Introducing OpenAI-powered code generation is unnecessary for a thesis trader and materially expands the attack surface by enabling unreviewed, model-produced code to be written to disk. In this context, the mismatch matters because users may trust the package as a trader while it actually transmits prompts externally and generates executable artifacts.

Context-Inappropriate Capability

Medium
Confidence
92% confidence
Finding
The file writes multiple project and configuration files, which is behavior outside the expected scope of a market-trading skill and can surprise users or automation that assumes read/trade-only behavior. In a supply-chain context, unexpected scaffolding and file creation increase risk because generated artifacts may later be executed or published with insufficient review.

Description-Behavior Mismatch

High
Confidence
88% confidence
Finding
The manifest describes a Polymarket thesis trader, but the configuration exposes a different capability profile: OpenAI-powered skill building plus optional external wallet-signing. This mismatch is dangerous because users may provide highly sensitive credentials under false expectations, enabling broader code generation or signing behavior than the declared purpose suggests.

Context-Inappropriate Capability

Medium
Confidence
76% confidence
Finding
Requesting an optional wallet private key is highly sensitive, and in this manifest it is not clearly justified by the stated purpose or constrained to a narrowly defined execution path. Even if optional, collecting a private key materially increases the blast radius of compromise because it can authorize irreversible on-chain actions if the surrounding skill or generated code is misused.

Vague Triggers

Medium
Confidence
90% confidence
Finding
The invocation example accepts an open-ended natural-language request with no visible scope limits, policy constraints, or approval checkpoints. For a code generator that can scaffold trading skills, broad prompting can lead to unsafe or overly privileged outputs, including strategies that interact with sensitive credentials or real-money systems.

Missing User Warnings

High
Confidence
96% confidence
Finding
The documentation promotes generation of trading skills and mentions credentials such as API keys and wallet private keys, but it does not prominently warn that generated skills may execute real trades or handle sensitive secrets. In this context, omission of a strong warning is dangerous because users may treat the tool as harmless scaffolding and later deploy generated artifacts with live credentials or financial impact.

Missing User Warnings

Medium
Confidence
95% confidence
Finding
The tool sends the user's strategy description, skill name, and author information to an external LLM service without an explicit warning or consent step at collection time. This creates a data-leakage risk because users may provide proprietary strategies or sensitive trading information assuming it remains local.

Missing User Warnings

Medium
Confidence
96% confidence
Finding
The strategy description is transmitted again to an external API for code generation, compounding the disclosure issue and increasing the amount of sensitive information processed off-box. Repeated transmission of proprietary trading logic raises confidentiality risk and can violate user expectations or policy requirements.

Vague Triggers

Low
Confidence
67% confidence
Finding
The manifest asks for sensitive credentials but does not clearly define activation scope, least-privilege expectations, or conditions under which each secret is needed. This ambiguity can lead users to over-provision secrets and increases the chance that a broader set of credentials is exposed to functionality that does not require them.

Ssd 3

Medium
Confidence
89% confidence
Finding
Embedding user-supplied strategy text verbatim into prompts and generated documentation can cause sensitive or proprietary details to be copied into output files and persisted on disk. If those files are later committed, shared, or published, confidential trading logic may be exposed beyond the user's intent.

VirusTotal

66/66 vendors flagged this skill as clean.

View on VirusTotal