ClawHub

TradingView技术指标分析助手(20260328V3)

Security checks across malware telemetry and agentic risk

Overview

This skill needs review because it is advertised as a local TradingView analysis toolkit but actually uses a remote service and manages persistent API keys.

Install only if you intentionally want a remote Prana-backed wrapper and trust claw-uat.ebonex.io with your prompts, trading strategy details, and any account/email/phone environment values. Prefer an isolated test environment, avoid global OpenClaw secret persistence unless necessary, and disable automatic key fetching or key writing when possible.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
  • MCP Least PrivilegeUnderdeclared Capability, Wildcard Permission, Missing Permission Declaration
  • MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
Findings (15)

Lp3

Medium
Category
MCP Least Privilege
Confidence
96% confidence
Finding
The skill declares itself as a technical-analysis toolkit, but its instructions require access to environment variables, local configuration changes, network access, and script execution without any explicit permission model. This hidden capability expansion is dangerous because it can cause credential exposure and unauthorized local state changes under the guise of a benign analytics tool.

Tp4

High
Category
MCP Tool Poisoning
Confidence
98% confidence
Finding
The documented behavior substantially exceeds the stated purpose: instead of only providing local indicator analysis, it instructs the user to contact a remote service, retrieve API keys, persist them as environment variables, and invoke remote execution clients. This mismatch is dangerous because users may grant trust based on the harmless description while the skill performs credentialed remote operations.

Description-Behavior Mismatch

Medium
Confidence
95% confidence
Finding
The skill presents itself as a local analysis tool but immediately instructs users to fetch API keys from a remote endpoint and run an external client. That inconsistency increases the likelihood of credential misuse, unexpected data exfiltration, and deceptive installation behavior.

Context-Inappropriate Capability

Medium
Confidence
97% confidence
Finding
Introducing secret retrieval, environment-variable configuration, and gateway restart instructions is unrelated to technical-indicator analysis and materially increases the attack surface. In context, these instructions could be abused to trick users into storing attacker-controlled or unnecessary credentials at the environment level.

Description-Behavior Mismatch

High
Confidence
98% confidence
Finding
This client does not perform local technical-indicator computation as the skill description suggests; it packages user input and forwards it to a remote Prana/Claw service via /api/claw/agent-run, with fallback polling to /api/claw/agent-result. That creates an undisclosed data-exfiltration and remote-execution trust boundary: any user prompts, trading data, or sensitive context supplied to the skill are sent off-box to an external service, which is materially more dangerous in a 'local analysis toolset' context.

Context-Inappropriate Capability

Medium
Confidence
95% confidence
Finding
The code automatically attempts to discover API credentials by calling GET /api/v1/api-keys using ambient identifiers from environment variables such as account ID, email, and phone number. For a technical-analysis skill, this is unrelated privileged behavior that can silently turn local environment metadata into credential retrieval, increasing the chance of unauthorized account linkage or abuse if the endpoint or environment is misconfigured.

Context-Inappropriate Capability

Medium
Confidence
97% confidence
Finding
The client includes functionality to persist fetched API credentials into local files under config/, including a JSON structure with public_key and secret_key. Storing newly acquired secrets on disk increases the blast radius of compromise through accidental commit, weak filesystem permissions, malware, multi-user hosts, or later reuse outside the original session.

Description-Behavior Mismatch

High
Confidence
98% confidence
Finding
The file is a thin client that forwards user prompts to a remote Prana service rather than performing the advertised technical-indicator analysis locally. This creates a significant trust-boundary and data-exfiltration risk because users may believe they are running an offline/local analytics tool while their inputs are sent to an external endpoint.

Context-Inappropriate Capability

High
Confidence
97% confidence
Finding
The code can automatically request API credentials from a remote service and persist them to local files by default, even though the stated purpose is technical analysis. This expands attack surface by silently creating and storing secrets that may later be exposed through filesystem access, accidental commits, or reuse by other processes.

Missing User Warnings

Medium
Confidence
97% confidence
Finding
The instructions tell the user to retrieve secret and public keys and configure them without any warning about sensitive handling, storage risks, or trust boundaries. This is dangerous because it normalizes unsafe credential handling and may lead to secret leakage via shell history, logs, screenshots, or globally accessible environment settings.

Missing User Warnings

Low
Confidence
81% confidence
Finding
The gateway restart step alters the local runtime state and can disrupt running services, yet the instructions provide no warning or approval checkpoint. While not as severe as credential handling, silent operational changes increase risk and can hide other malicious or unsafe modifications.

Missing User Warnings

Medium
Confidence
92% confidence
Finding
When auto-fetch succeeds, the code may write credentials to config/api_key.txt by default, without an interactive warning or confirmation at the point of action. Silent secret persistence is dangerous because users may not realize credentials were obtained and stored locally, making leakage through backups, repo commits, support bundles, or shared workstations more likely.

Missing User Warnings

Medium
Confidence
95% confidence
Finding
The script sends user input, skill metadata, and identifiers to a remote service automatically once invoked, without a prominent runtime warning or consent gate at the point of transmission. In the context of a supposedly technical-analysis skill, this is risky because users may input proprietary trading strategies, market views, or other sensitive data expecting local processing.

Missing User Warnings

Medium
Confidence
96% confidence
Finding
The client auto-fetches credentials over the network and writes them to disk by default without a strong warning or consent step. This behavior can surprise users and leave plaintext secrets in the project directory, increasing the likelihood of leakage via backups, logs, shared workspaces, or source control.

Ssd 3

High
Confidence
99% confidence
Finding
The workflow explicitly directs users to obtain secret credentials from a remote service and place them into environment variables, which is highly sensitive behavior unrelated to the advertised purpose. In this skill context, that makes the issue more dangerous because a supposedly harmless analytics tool is being used to bootstrap credentialed access and persistent local trust for external services.

VirusTotal

No VirusTotal findings

View on VirusTotal