ClawHub

Test Trading

Security checks across malware telemetry and agentic risk

Overview

This is a real-money trading skill with mostly trading-related behavior, but it grants and documents broad wallet, order, approval, and scheduled execution authority without clear enough user controls.

Review carefully before installing. Use a dedicated low-balance wallet or test account, keep dry-run mode unless you intentionally enable live trading, verify the scheduled automaton behavior, and require explicit confirmation for wallet credential registration, token approvals, cancel-all orders, auto-redeem, and any live order.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
  • MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
Findings (6)

Description-Behavior Mismatch

Medium
Confidence
95% confidence
Finding
The manifest presents a narrow single-market divergence trader, but the body of the skill expands into wallet bootstrap, credential registration, market scanning, order management, and redemption. This scope mismatch is dangerous because users may authorize a seemingly limited skill that actually documents and enables much broader account-impacting actions.

Context-Inappropriate Capability

Medium
Confidence
94% confidence
Finding
The skill includes wallet bootstrap and credential registration flows that go beyond a simple trade-wrapper and involve handling exchange API credentials derived from a private key. In trading context, undocumented credential setup is especially sensitive because it can grant durable trading capability and expand compromise impact beyond a single action.

Context-Inappropriate Capability

Medium
Confidence
93% confidence
Finding
Documenting account-wide settings changes such as max trade limits, pausing behavior, and auto-redeem expands the skill from per-trade execution into persistent account administration. That is dangerous because a user invoking a market-specific strategy may inadvertently be steered into changing global controls that affect all future trading activity.

Context-Inappropriate Capability

Medium
Confidence
90% confidence
Finding
Cancellation of all open orders and redemption functions are broader lifecycle-management actions not disclosed by the manifest. These capabilities can materially alter account state and asset availability, so hiding them behind a narrowly described trading wrapper increases operator surprise and misuse risk.

Missing User Warnings

Medium
Confidence
97% confidence
Finding
The skill explicitly instructs automatic approval transactions and says the agent should send them automatically when possible. Approval transactions can grant token spending rights and directly affect user assets, so performing them without a prominent warning and explicit consent creates substantial risk of unintended financial exposure.

Missing User Warnings

Medium
Confidence
98% confidence
Finding
The default policy says to place trades without blocking on extra confirmation, despite this being a live asset-impacting action. In a trading skill, that materially increases the chance of unauthorized or accidental order placement, especially when paired with wallet setup and automated readiness checks.

VirusTotal

66/66 vendors flagged this skill as clean.

View on VirusTotal